Windows Analysis Report
POP_Swift_Copy_MTC78362-N70002.exe

AV Detection

Source: POP_Swift_Copy_MTC78362-N70002.exe

Avira: detected

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\GoogleUpdater\135.0.7023.0\updater.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Avira: detection malicious, Label: W32/Infector.Gen

Source: 00000008.00000002.939369508.0000000003E35000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: RedLine {"C2 url": ["204.10.161.147:7082"], "Bot Id": "success", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
Source: 8.2.RegSvcs.exe.3fa53c0.5.raw.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.xma0.com", "Username": "d.cloud@xma0.com", "Password": "london@1759"}

Source: POP_Swift_Copy_MTC78362-N70002.exe	Virustotal: Detection: 82%			Perma Link
Source: POP_Swift_Copy_MTC78362-N70002.exe	ReversingLabs: Detection: 83%

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Compliance

Source: POP_Swift_Copy_MTC78362-N70002.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: alg.exe, 00000004.00000003.1267036249.00000000014C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: POP_Swift_Copy_MTC78362-N70002.exe, 00000000.00000003.857605404.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: alg.exe, 00000004.00000003.1327165879.00000000014B0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000004.00000003.1328907274.00000000014C0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000004.00000003.1339672730.0000000000480000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msiexec.pdb source: elevation_service.exe, 00000007.00000003.1923166633.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: alg.exe, 00000004.00000003.1003873112.0000000001590000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ssh-agent.pdb source: elevation_service.exe, 00000007.00000003.2052781864.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: alg.exe, 00000004.00000003.1139094310.0000000001590000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 1.15.0.1.pdbex source: build.exe, 0000000A.00000002.1302827843.0000000000774000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb source: build.exe, 0000000A.00000002.1302827843.0000000000774000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: alg.exe, 00000004.00000003.1139094310.0000000001590000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdb source: alg.exe, 00000004.00000003.1148713422.0000000001590000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msiexec.pdbGCTL source: elevation_service.exe, 00000007.00000003.1923166633.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdbGCTL source: alg.exe, 00000004.00000003.1386116635.00000000004B0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000004.00000003.1383123026.00000000014B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationFontCache.pdb source: elevation_service.exe, 00000007.00000003.1899149495.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerceptionSimulationService.pdb source: elevation_service.exe, 00000007.00000003.1941717486.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: RegSvcs.exe, 00000008.00000002.939369508.0000000003E69000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: crashreporter.pdb source: alg.exe, 00000004.00000003.1545759493.00000000012B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: carryover.exe, 00000003.00000003.892573059.0000000004C50000.00000004.00001000.00020000.00000000.sdmp, carryover.exe, 00000003.00000003.891682528.0000000004AB0000.00000004.00001000.00020000.00000000.sdmp, carryover.exe, 00000006.00000003.909490862.0000000004E60000.00000004.00001000.00020000.00000000.sdmp, carryover.exe, 00000006.00000003.912742249.0000000004CC0000.00000004.00001000.00020000.00000000.sdmp, carryover.exe, 0000000D.00000003.1007870064.0000000004210000.00000004.00001000.00020000.00000000.sdmp, carryover.exe, 0000000D.00000003.1004439932.0000000004070000.00000004.00001000.00020000.00000000.sdmp, carryover.exe, 00000010.00000003.1033778483.0000000004070000.00000004.00001000.00020000.00000000.sdmp, carryover.exe, 00000010.00000003.1037501755.0000000004D10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: alg.exe, 00000004.00000003.1112231552.0000000001590000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdbAAAGCTL source: alg.exe, 00000004.00000003.1260735791.00000000014C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: MsSense.pdbGCTL source: elevation_service.exe, 00000007.00000003.1980186568.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: alg.exe, 00000004.00000003.1361887205.00000000014B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: MsSense.pdb source: elevation_service.exe, 00000007.00000003.1980186568.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: alg.exe, 00000004.00000003.1274422384.00000000014C0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000004.00000003.1283251012.0000000000480000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: alg.exe, 00000004.00000003.1185467540.00000000014C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb((( source: alg.exe, 00000004.00000003.1026691951.0000000001590000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: locator.pdb source: elevation_service.exe, 00000007.00000003.1965532858.0000000000830000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000007.00000003.1974269263.00000000007A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: elevation_service.exe, 00000007.00000003.1875381767.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdbCC9 source: alg.exe, 00000004.00000003.1148713422.0000000001590000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdb source: alg.exe, 00000004.00000003.1038473545.0000000001590000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb source: alg.exe, 00000004.00000003.1026691951.0000000001590000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: alg.exe, 00000004.00000003.1327165879.00000000014B0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000004.00000003.1328907274.00000000014C0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000004.00000003.1339672730.0000000000480000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: alg.exe, 00000004.00000003.1112231552.0000000001590000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: alg.exe, 00000004.00000003.1201107346.00000000014C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: alg.exe, 00000004.00000003.1003873112.0000000001590000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdb source: alg.exe, 00000004.00000003.1386116635.00000000004B0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000004.00000003.1383123026.00000000014B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb source: alg.exe, 00000004.00000003.908376252.0000000001590000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 64BitMAPIBroker.pdb source: alg.exe, 00000004.00000003.1250645435.00000000014C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msdtcexe.pdbGCTL source: elevation_service.exe, 00000007.00000003.1908491709.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerceptionSimulationService.pdbGCTL source: elevation_service.exe, 00000007.00000003.1941717486.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: snmptrap.pdbGCTL source: elevation_service.exe, 00000007.00000003.2001985634.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: alg.exe, 00000004.00000003.1361887205.00000000014B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerfHost.pdbGCTL source: elevation_service.exe, 00000007.00000003.1961833470.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000007.00000003.1952687940.0000000000830000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000007.00000003.1951213876.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: alg.exe, 00000004.00000003.1235636945.00000000014C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: alg.exe, 00000004.00000003.1185467540.00000000014C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: alg.exe, 00000004.00000003.1267036249.00000000014C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: alg.exe, 00000004.00000003.1201107346.00000000014C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: alg.exe, 00000004.00000003.1239779841.00000000014C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerfHost.pdb source: elevation_service.exe, 00000007.00000003.1961833470.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000007.00000003.1952687940.0000000000830000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000007.00000003.1951213876.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdb source: alg.exe, 00000004.00000003.1260735791.00000000014C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb` source: alg.exe, 00000004.00000003.908376252.0000000001590000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: alg.exe, 00000004.00000003.1274422384.00000000014C0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000004.00000003.1283251012.0000000000480000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: carryover.exe, 00000003.00000003.892573059.0000000004C50000.00000004.00001000.00020000.00000000.sdmp, carryover.exe, 00000003.00000003.891682528.0000000004AB0000.00000004.00001000.00020000.00000000.sdmp, carryover.exe, 00000006.00000003.909490862.0000000004E60000.00000004.00001000.00020000.00000000.sdmp, carryover.exe, 00000006.00000003.912742249.0000000004CC0000.00000004.00001000.00020000.00000000.sdmp, carryover.exe, 0000000D.00000003.1007870064.0000000004210000.00000004.00001000.00020000.00000000.sdmp, carryover.exe, 0000000D.00000003.1004439932.0000000004070000.00000004.00001000.00020000.00000000.sdmp, carryover.exe, 00000010.00000003.1033778483.0000000004070000.00000004.00001000.00020000.00000000.sdmp, carryover.exe, 00000010.00000003.1037501755.0000000004D10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: TieringEngineService.pdb source: elevation_service.exe, 00000007.00000003.2064218672.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: TieringEngineService.pdbGCTL source: elevation_service.exe, 00000007.00000003.2064218672.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: alg.exe, 00000004.00000003.1208714474.00000000014C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALG.pdb source: POP_Swift_Copy_MTC78362-N70002.exe, 00000000.00000003.863230963.0000000003F80000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msdtcexe.pdb source: elevation_service.exe, 00000007.00000003.1908491709.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: elevation_service.exe, 00000007.00000003.1875381767.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALG.pdbGCTL source: POP_Swift_Copy_MTC78362-N70002.exe, 00000000.00000003.863230963.0000000003F80000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: elevation_service.exe, 00000007.00000003.1899149495.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: alg.exe, 00000004.00000003.1038473545.0000000001590000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: locator.pdbGCTL source: elevation_service.exe, 00000007.00000003.1965532858.0000000000830000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000007.00000003.1974269263.00000000007A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ssh-agent.pdbX source: elevation_service.exe, 00000007.00000003.2052781864.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AppVShNotify.pdb source: alg.exe, 00000004.00000003.1357417726.00000000014C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: snmptrap.pdb source: elevation_service.exe, 00000007.00000003.2001985634.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: alg.exe, 00000004.00000003.1239779841.00000000014C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: alg.exe, 00000004.00000003.1208714474.00000000014C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AppVShNotify.pdbGCTL source: alg.exe, 00000004.00000003.1357417726.00000000014C0000.00000004.00001000.00020000.00000000.sdmp

Spreading

Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSACCESS.EXE			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\pingsender.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\vds.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\snmptrap.exe			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\Spectrum.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\Locator.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\GoogleUpdater\135.0.7023.0\updater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\7z.exe			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\AppVClient.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\crashreporter.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\7zG.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\SysWOW64\perfhost.exe			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\msiexec.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lynchtmlconv.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\firefox.exe			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\TieringEngineService.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\updater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\FXSSVC.exe			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\sppsvc.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\SensorDataService.exe			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\msdtc.exe			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	System file written: C:\Windows\System32\alg.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\7zFM.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\VSSVC.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\private_browsing.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\AgentService.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\OpenSSH\ssh-agent.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\plugin-container.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe			Jump to behavior

Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe

Code function: 0_2_0046445A GetFileAttributesW,FindFirstFileW,FindClose,

0_2_0046445A

Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\java.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaw.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaws.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\java.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaw.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaws.exe			Jump to behavior

Networking

Source: Network traffic	Suricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.8:55076 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.8:49694 -> 204.10.161.147:7082
Source: Network traffic	Suricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.8:49694 -> 204.10.161.147:7082
Source: Network traffic	Suricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 204.10.161.147:7082 -> 192.168.2.8:49694
Source: Network traffic	Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 204.10.161.147:7082 -> 192.168.2.8:49694
Source: Network traffic	Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.8:49689 -> 3.229.117.57:80
Source: Network traffic	Suricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.8:55274 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.8:49720 -> 13.213.51.196:80

Source: Malware configuration extractor

URLs: 204.10.161.147:7082

Source: unknown

DNS traffic detected: English language letter frequency does not match the domain names

Source: unknown

Network traffic detected: DNS query count 45

Source: global traffic	TCP traffic: 192.168.2.8:49694 -> 204.10.161.147:7082
Source: global traffic	TCP traffic: 192.168.2.8:49696 -> 51.195.65.154:587

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 13.248.148.254 13.248.148.254
Source: Joe Sandbox View	IP Address: 165.160.15.20 165.160.15.20

Source: unknown

DNS query: name: ip-api.com

Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 52.11.240.239:80 -> 192.168.2.8:49682
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 52.11.240.239:80 -> 192.168.2.8:49682
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 3.229.117.57:80 -> 192.168.2.8:49689
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 3.229.117.57:80 -> 192.168.2.8:49689
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 13.213.51.196:80 -> 192.168.2.8:49693
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 13.213.51.196:80 -> 192.168.2.8:49693
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.169.144.97:80 -> 192.168.2.8:49717
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.169.144.97:80 -> 192.168.2.8:49717
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 52.43.119.120:80 -> 192.168.2.8:49729
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 52.43.119.120:80 -> 192.168.2.8:49729
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.142.91.111:80 -> 192.168.2.8:49726
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.142.91.111:80 -> 192.168.2.8:49726
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 52.26.80.133:80 -> 192.168.2.8:49734
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 52.26.80.133:80 -> 192.168.2.8:49734
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.85.87.184:80 -> 192.168.2.8:49730
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.85.87.184:80 -> 192.168.2.8:49730
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 34.229.166.50:80 -> 192.168.2.8:49724
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 34.229.166.50:80 -> 192.168.2.8:49724
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 34.245.175.187:80 -> 192.168.2.8:49723
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 34.245.175.187:80 -> 192.168.2.8:49723

Source: global traffic

TCP traffic: 192.168.2.8:49696 -> 51.195.65.154:587

Source: global traffic	HTTP traffic detected: POST /ctbckavixptmbr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 842
Source: global traffic	HTTP traffic detected: POST /wvmmm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /uvvrveofayh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /fvsaltcygk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /fjbxgvrfxmoy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 842
Source: global traffic	HTTP traffic detected: POST /a HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /hywpyx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: GET /hywpyx?usid=19&utid=21370373423 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.przvgke.biz
Source: global traffic	HTTP traffic detected: POST /rn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /jexgqy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 840
Source: global traffic	HTTP traffic detected: POST /gkqjp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 840
Source: global traffic	HTTP traffic detected: POST /ihuqfllxqmaqscha HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xlfhhhm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /upo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ifsaia.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /eyuhqpofhpxn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: saytjshyf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /gs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vcddkls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /sgkfwupywmxx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: GET /sgkfwupywmxx?usid=19&utid=21370402741 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.fwiwk.biz
Source: global traffic	HTTP traffic detected: POST /ognrw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tbjrpv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /tgsts HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: deoci.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /qfhyw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ggpr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /xoohlgupesq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qaynky.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ecs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bumxkqgxu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /cfawhmgwpyiy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dwrqljrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /hfsdiqdlqie HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nqwjmb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /kwyiwt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ytctnunms.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ijgqvofrskwomgdd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /noobfnybpdyqtgb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /bbxuxg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oshhkdluh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /nbtse HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /uyydojcyaleeu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /evwodsoowcrdlbxc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jpskm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /shfwhvfjkowl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lrxdmhrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /hparumdmsamsoscs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wllvnzb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /jurhg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gnqgo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /lsnpdhksdvlyaafb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jhvzpcfg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /tidfalxdes HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: acwjcqqv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /klephah HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vyome.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /cnnbloplhcxqah HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yauexmxk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /eljkjluwi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: iuzpxe.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /dwmocltoffv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: sxmiywsfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /gyqpvedqb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vrrazpdh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /tkyyb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ftxlah.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /nxngdmvpiyqwjk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: typgfhb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /nxngdmvpiyqwjk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: typgfhb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778Data Raw: 5d b9 ee a1 03 17 1f 71 fe 02 00 00 6d 14 a5 af 10 3c c4 3b 21 bf 3d 55 df d6 0c 56 c8 09 2a c7 c1 b4 c7 48 c5 5c 3b b2 1c fc a1 7b 20 53 47 e5 56 54 70 44 59 66 32 33 4f d3 f6 e3 a4 88 83 ae f8 f1 82 aa 14 eb 12 9d 44 35 1a ee ca 35 e4 05 16 1c 71 6e 2c d4 b9 06 c2 14 4d d0 42 7c 03 f8 97 dc b3 5c 28 92 0e 4e 56 71 2e 3f 1b d3 30 1a 9a 83 7e d8 a5 92 45 ed 96 95 70 82 ae 06 be 4b 0c 5e 6b 0d e2 03 af 3f 44 27 c3 f6 ff 96 74 63 82 b5 07 3a e4 2a d1 5d 59 3e 57 b1 7b 83 4c f7 61 2d 5f 6b fe 31 09 78 34 da 52 21 e5 a3 91 c8 4e 8f a7 60 0f 3c ad e7 1a 49 b4 06 d3 9b 0f 07 c5 56 21 81 b8 4a 68 d6 b1 24 50 a3 1b cc 77 70 ba 75 07 4a 78 3a 2a a5 f1 d5 d7 fb fe 4c 3c 7d 5d 8e ad 16 a9 c9 d5 ce d6 ad 5d 10 b3 2b f9 8c d4 c7 e2 7d 51 c7 e6 2e 37 5e fb b7 e6 9d 4b cc 5b c7 55 4a ad 0c 3e 4f 5f 60 44 c6 e7 f4 b5 0a 40 9b 6d 03 a6 0b 35 af c7 8e 52 7c 8c 4b 6a e4 4b 1d a1 37 bb 03 44 d2 ca bb 93 3f 78 53 0c 9a ed 4b 62 8b fc 10 30 51 72 b9 d0 89 7e ab 2c f9 6b cc 3e 38 d3 9d 16 9b 97 cd 65 4b 45 e3 ae 66 b4 35 31 0b 0d 14 c0 5f 4d 02 62 eb fc 0d 45 dd 66 7f 0c 4f 72 28 02 e5 5e bd 1c 8c 70 1d cd c6 77 c1 15 09 1b b7 2c f5 74 d5 fb ed ca 24 2d 3d e0 c7 a3 70 26 4f dc f0 7d 27 98 9f e8 47 e0 be ff 79 28 a1 6f 27 28 71 34 7f 2b ed 0f e2 59 11 e4 8f 7b 57 05 95 98 d3 24 38 98 7c 70 f6 fa ea cb a0 b2 0d a2 50 9f 67 d2 53 3b 8d a1 57 11 94 73 45 f8 cf 53 21 17 5d 36 96 e1 23 ea 0c 0a f8 65 d1 e9 78 88 f0 9f 64 0e c8 32 70 fb 8a f7 81 6d 6e 2e 5b 6c 53 51 da ab 2f d7 6d c8 21 62 10 0e 0d 11 19 76 b3 6c dd 99 67 9c 69 49 d8 5d e7 8e 12 f6 b2 1d 69 18 d8 90 45 bf 22 2e e4 2e ea 22 c4 c9 4e 35 18 8b c9 94 95 0e 47 c4 b0 e7 23 fd cc 18 75 18 16 b7 57 3a 98 84 6a c7 ac 78 c4 b8 68 fe a7 a4 15 d8 b9 df 9f 6a 12 a6 e8 4b 62 33 18 17 08 19 6e 30 f6 eb 4b c0 37 ab b0 ea 7e 35 7d 8b 9e b6 21 67 a2 9a a0 4d 85 f5 65 e1 08 e6 8c 0f c6 95 ec c8 eb 6a 55 d6 8d 8e e5 58 92 1e fe 11 55 37 2b 25 51 27 93 8e fe db e7 f0 3d 74 ae 77 9e 72 90 52 44 d8 fc fc c7 93 d3 26 45 7a d6 66 e4 9d f2 66 f6 42 32 3a 9d 08 24 bd 23 c6 bc 47 38 5e 85 28 08 11 5a bd 41 0d 0d 92 aa 9f d2 eb d0 65 4b f0 0e 2f b4 8d 4b bb d2 51 2c 04 a7 c3 75 bf fa 2b bc 01 52 13 3c a7 e2 89 b4 8a 1d fd eb cd 11 de 48 4d cd b2 d5 11 90 3e 6b 61 f0 b6 c7 40 a3 21 ce 05 16 a2 91 d9 49 a8 fb 6b 3f f0 98 ab f8 a4 4f e8 a7 2f 0e 6f 8c 72 41 a9 58 78 52 4b ef bc 38 f0 82 Data Ascii: ]qm<;!=UV*H\;{ SGVTpDYf23OD55qn,MB|\(NVq.?0~EpK^k?D'tc:*]Y>W{La-_k1x4R!N`<IV!Jh$PwpuJx:*L<}]]+}Q.7^K[UJ>O_`D@m5R|Kj
Source: global traffic	HTTP traffic detected: POST /nxngdmvpiyqwjk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: typgfhb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778Data Raw: 5d b9 ee a1 03 17 1f 71 fe 02 00 00 6d 14 a5 af 10 3c c4 3b 21 bf 3d 55 df d6 0c 56 c8 09 2a c7 c1 b4 c7 48 c5 5c 3b b2 1c fc a1 7b 20 53 47 e5 56 54 70 44 59 66 32 33 4f d3 f6 e3 a4 88 83 ae f8 f1 82 aa 14 eb 12 9d 44 35 1a ee ca 35 e4 05 16 1c 71 6e 2c d4 b9 06 c2 14 4d d0 42 7c 03 f8 97 dc b3 5c 28 92 0e 4e 56 71 2e 3f 1b d3 30 1a 9a 83 7e d8 a5 92 45 ed 96 95 70 82 ae 06 be 4b 0c 5e 6b 0d e2 03 af 3f 44 27 c3 f6 ff 96 74 63 82 b5 07 3a e4 2a d1 5d 59 3e 57 b1 7b 83 4c f7 61 2d 5f 6b fe 31 09 78 34 da 52 21 e5 a3 91 c8 4e 8f a7 60 0f 3c ad e7 1a 49 b4 06 d3 9b 0f 07 c5 56 21 81 b8 4a 68 d6 b1 24 50 a3 1b cc 77 70 ba 75 07 4a 78 3a 2a a5 f1 d5 d7 fb fe 4c 3c 7d 5d 8e ad 16 a9 c9 d5 ce d6 ad 5d 10 b3 2b f9 8c d4 c7 e2 7d 51 c7 e6 2e 37 5e fb b7 e6 9d 4b cc 5b c7 55 4a ad 0c 3e 4f 5f 60 44 c6 e7 f4 b5 0a 40 9b 6d 03 a6 0b 35 af c7 8e 52 7c 8c 4b 6a e4 4b 1d a1 37 bb 03 44 d2 ca bb 93 3f 78 53 0c 9a ed 4b 62 8b fc 10 30 51 72 b9 d0 89 7e ab 2c f9 6b cc 3e 38 d3 9d 16 9b 97 cd 65 4b 45 e3 ae 66 b4 35 31 0b 0d 14 c0 5f 4d 02 62 eb fc 0d 45 dd 66 7f 0c 4f 72 28 02 e5 5e bd 1c 8c 70 1d cd c6 77 c1 15 09 1b b7 2c f5 74 d5 fb ed ca 24 2d 3d e0 c7 a3 70 26 4f dc f0 7d 27 98 9f e8 47 e0 be ff 79 28 a1 6f 27 28 71 34 7f 2b ed 0f e2 59 11 e4 8f 7b 57 05 95 98 d3 24 38 98 7c 70 f6 fa ea cb a0 b2 0d a2 50 9f 67 d2 53 3b 8d a1 57 11 94 73 45 f8 cf 53 21 17 5d 36 96 e1 23 ea 0c 0a f8 65 d1 e9 78 88 f0 9f 64 0e c8 32 70 fb 8a f7 81 6d 6e 2e 5b 6c 53 51 da ab 2f d7 6d c8 21 62 10 0e 0d 11 19 76 b3 6c dd 99 67 9c 69 49 d8 5d e7 8e 12 f6 b2 1d 69 18 d8 90 45 bf 22 2e e4 2e ea 22 c4 c9 4e 35 18 8b c9 94 95 0e 47 c4 b0 e7 23 fd cc 18 75 18 16 b7 57 3a 98 84 6a c7 ac 78 c4 b8 68 fe a7 a4 15 d8 b9 df 9f 6a 12 a6 e8 4b 62 33 18 17 08 19 6e 30 f6 eb 4b c0 37 ab b0 ea 7e 35 7d 8b 9e b6 21 67 a2 9a a0 4d 85 f5 65 e1 08 e6 8c 0f c6 95 ec c8 eb 6a 55 d6 8d 8e e5 58 92 1e fe 11 55 37 2b 25 51 27 93 8e fe db e7 f0 3d 74 ae 77 9e 72 90 52 44 d8 fc fc c7 93 d3 26 45 7a d6 66 e4 9d f2 66 f6 42 32 3a 9d 08 24 bd 23 c6 bc 47 38 5e 85 28 08 11 5a bd 41 0d 0d 92 aa 9f d2 eb d0 65 4b f0 0e 2f b4 8d 4b bb d2 51 2c 04 a7 c3 75 bf fa 2b bc 01 52 13 3c a7 e2 89 b4 8a 1d fd eb cd 11 de 48 4d cd b2 d5 11 90 3e 6b 61 f0 b6 c7 40 a3 21 ce 05 16 a2 91 d9 49 a8 fb 6b 3f f0 98 ab f8 a4 4f e8 a7 2f 0e 6f 8c 72 41 a9 58 78 52 4b ef bc 38 f0 82 Data Ascii: ]qm<;!=UV*H\;{ SGVTpDYf23OD55qn,MB|\(NVq.?0~EpK^k?D'tc:*]Y>W{La-_k1x4R!N`<IV!Jh$PwpuJx:*L<}]]+}Q.7^K[UJ>O_`D@m5R|Kj
Source: global traffic	HTTP traffic detected: POST /nxngdmvpiyqwjk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: typgfhb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778Data Raw: 5d b9 ee a1 03 17 1f 71 fe 02 00 00 6d 14 a5 af 10 3c c4 3b 21 bf 3d 55 df d6 0c 56 c8 09 2a c7 c1 b4 c7 48 c5 5c 3b b2 1c fc a1 7b 20 53 47 e5 56 54 70 44 59 66 32 33 4f d3 f6 e3 a4 88 83 ae f8 f1 82 aa 14 eb 12 9d 44 35 1a ee ca 35 e4 05 16 1c 71 6e 2c d4 b9 06 c2 14 4d d0 42 7c 03 f8 97 dc b3 5c 28 92 0e 4e 56 71 2e 3f 1b d3 30 1a 9a 83 7e d8 a5 92 45 ed 96 95 70 82 ae 06 be 4b 0c 5e 6b 0d e2 03 af 3f 44 27 c3 f6 ff 96 74 63 82 b5 07 3a e4 2a d1 5d 59 3e 57 b1 7b 83 4c f7 61 2d 5f 6b fe 31 09 78 34 da 52 21 e5 a3 91 c8 4e 8f a7 60 0f 3c ad e7 1a 49 b4 06 d3 9b 0f 07 c5 56 21 81 b8 4a 68 d6 b1 24 50 a3 1b cc 77 70 ba 75 07 4a 78 3a 2a a5 f1 d5 d7 fb fe 4c 3c 7d 5d 8e ad 16 a9 c9 d5 ce d6 ad 5d 10 b3 2b f9 8c d4 c7 e2 7d 51 c7 e6 2e 37 5e fb b7 e6 9d 4b cc 5b c7 55 4a ad 0c 3e 4f 5f 60 44 c6 e7 f4 b5 0a 40 9b 6d 03 a6 0b 35 af c7 8e 52 7c 8c 4b 6a e4 4b 1d a1 37 bb 03 44 d2 ca bb 93 3f 78 53 0c 9a ed 4b 62 8b fc 10 30 51 72 b9 d0 89 7e ab 2c f9 6b cc 3e 38 d3 9d 16 9b 97 cd 65 4b 45 e3 ae 66 b4 35 31 0b 0d 14 c0 5f 4d 02 62 eb fc 0d 45 dd 66 7f 0c 4f 72 28 02 e5 5e bd 1c 8c 70 1d cd c6 77 c1 15 09 1b b7 2c f5 74 d5 fb ed ca 24 2d 3d e0 c7 a3 70 26 4f dc f0 7d 27 98 9f e8 47 e0 be ff 79 28 a1 6f 27 28 71 34 7f 2b ed 0f e2 59 11 e4 8f 7b 57 05 95 98 d3 24 38 98 7c 70 f6 fa ea cb a0 b2 0d a2 50 9f 67 d2 53 3b 8d a1 57 11 94 73 45 f8 cf 53 21 17 5d 36 96 e1 23 ea 0c 0a f8 65 d1 e9 78 88 f0 9f 64 0e c8 32 70 fb 8a f7 81 6d 6e 2e 5b 6c 53 51 da ab 2f d7 6d c8 21 62 10 0e 0d 11 19 76 b3 6c dd 99 67 9c 69 49 d8 5d e7 8e 12 f6 b2 1d 69 18 d8 90 45 bf 22 2e e4 2e ea 22 c4 c9 4e 35 18 8b c9 94 95 0e 47 c4 b0 e7 23 fd cc 18 75 18 16 b7 57 3a 98 84 6a c7 ac 78 c4 b8 68 fe a7 a4 15 d8 b9 df 9f 6a 12 a6 e8 4b 62 33 18 17 08 19 6e 30 f6 eb 4b c0 37 ab b0 ea 7e 35 7d 8b 9e b6 21 67 a2 9a a0 4d 85 f5 65 e1 08 e6 8c 0f c6 95 ec c8 eb 6a 55 d6 8d 8e e5 58 92 1e fe 11 55 37 2b 25 51 27 93 8e fe db e7 f0 3d 74 ae 77 9e 72 90 52 44 d8 fc fc c7 93 d3 26 45 7a d6 66 e4 9d f2 66 f6 42 32 3a 9d 08 24 bd 23 c6 bc 47 38 5e 85 28 08 11 5a bd 41 0d 0d 92 aa 9f d2 eb d0 65 4b f0 0e 2f b4 8d 4b bb d2 51 2c 04 a7 c3 75 bf fa 2b bc 01 52 13 3c a7 e2 89 b4 8a 1d fd eb cd 11 de 48 4d cd b2 d5 11 90 3e 6b 61 f0 b6 c7 40 a3 21 ce 05 16 a2 91 d9 49 a8 fb 6b 3f f0 98 ab f8 a4 4f e8 a7 2f 0e 6f 8c 72 41 a9 58 78 52 4b ef bc 38 f0 82 Data Ascii: ]qm<;!=UV*H\;{ SGVTpDYf23OD55qn,MB|\(NVq.?0~EpK^k?D'tc:*]Y>W{La-_k1x4R!N`<IV!Jh$PwpuJx:*L<}]]+}Q.7^K[UJ>O_`D@m5R|Kj
Source: global traffic	HTTP traffic detected: POST /nxngdmvpiyqwjk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: typgfhb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778Data Raw: 5d b9 ee a1 03 17 1f 71 fe 02 00 00 6d 14 a5 af 10 3c c4 3b 21 bf 3d 55 df d6 0c 56 c8 09 2a c7 c1 b4 c7 48 c5 5c 3b b2 1c fc a1 7b 20 53 47 e5 56 54 70 44 59 66 32 33 4f d3 f6 e3 a4 88 83 ae f8 f1 82 aa 14 eb 12 9d 44 35 1a ee ca 35 e4 05 16 1c 71 6e 2c d4 b9 06 c2 14 4d d0 42 7c 03 f8 97 dc b3 5c 28 92 0e 4e 56 71 2e 3f 1b d3 30 1a 9a 83 7e d8 a5 92 45 ed 96 95 70 82 ae 06 be 4b 0c 5e 6b 0d e2 03 af 3f 44 27 c3 f6 ff 96 74 63 82 b5 07 3a e4 2a d1 5d 59 3e 57 b1 7b 83 4c f7 61 2d 5f 6b fe 31 09 78 34 da 52 21 e5 a3 91 c8 4e 8f a7 Data Ascii: ]qm<;!=UV*H\;{ SGVTpDYf23OD55qn,MB|\(NVq.?0~EpK^k?D'tc:*]Y>W{La-_k1x4R!N
Source: global traffic	HTTP traffic detected: POST /nxngdmvpiyqwjk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: typgfhb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778Data Raw: 5d b9 ee a1 03 17 1f 71 fe 02 00 00 6d 14 a5 af 10 3c c4 3b 21 bf 3d 55 df d6 0c 56 c8 09 2a c7 c1 b4 c7 48 c5 5c 3b b2 1c fc a1 7b 20 53 47 e5 56 54 70 44 59 66 32 33 4f d3 f6 e3 a4 88 83 ae f8 f1 82 aa 14 eb 12 9d 44 35 1a ee ca 35 e4 05 16 1c 71 6e 2c d4 b9 06 c2 14 4d d0 42 7c 03 f8 97 dc b3 5c 28 92 0e 4e 56 71 2e 3f 1b d3 30 1a 9a 83 7e d8 a5 92 45 ed 96 95 70 82 ae 06 be 4b 0c 5e 6b 0d e2 03 af 3f 44 27 c3 f6 ff 96 74 63 82 b5 07 3a e4 2a d1 5d 59 3e 57 b1 7b 83 4c f7 61 2d 5f 6b fe 31 09 78 34 da 52 21 e5 a3 91 c8 4e 8f a7 Data Ascii: ]qm<;!=UV*H\;{ SGVTpDYf23OD55qn,MB|\(NVq.?0~EpK^k?D'tc:*]Y>W{La-_k1x4R!N
Source: global traffic	HTTP traffic detected: POST /nxngdmvpiyqwjk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: typgfhb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778Data Raw: 5d b9 ee a1 03 17 1f 71 fe 02 00 00 6d 14 a5 af 10 3c c4 3b 21 bf 3d 55 df d6 0c 56 c8 09 2a c7 c1 b4 c7 48 c5 5c 3b b2 1c fc a1 7b 20 53 47 e5 56 54 70 44 59 66 32 33 4f d3 f6 e3 a4 88 83 ae f8 f1 82 aa 14 eb 12 9d 44 35 1a ee ca 35 e4 05 16 1c 71 6e 2c d4 b9 06 c2 14 4d d0 42 7c 03 f8 97 dc b3 5c 28 92 0e 4e 56 71 2e 3f 1b d3 30 1a 9a 83 7e d8 a5 92 45 ed 96 95 70 82 ae 06 be 4b 0c 5e 6b 0d e2 03 af 3f 44 27 c3 f6 ff 96 74 63 82 b5 07 3a e4 2a d1 5d 59 3e 57 b1 7b 83 4c f7 61 2d 5f 6b fe 31 09 78 34 da 52 21 e5 a3 91 c8 4e 8f a7 60 0f 3c ad e7 1a 49 b4 06 d3 9b 0f 07 c5 56 21 81 b8 4a 68 d6 b1 24 50 a3 1b cc 77 70 ba 75 07 4a 78 3a 2a a5 f1 d5 d7 fb fe 4c 3c 7d 5d 8e ad 16 a9 c9 d5 ce d6 ad 5d 10 b3 2b f9 8c d4 c7 e2 7d 51 c7 e6 2e 37 5e fb b7 e6 9d 4b cc 5b c7 55 4a ad 0c 3e 4f 5f 60 44 c6 e7 f4 b5 0a 40 9b 6d 03 a6 0b 35 af c7 8e 52 7c 8c 4b 6a e4 4b 1d a1 37 bb 03 44 d2 ca bb 93 3f 78 53 0c 9a ed 4b 62 8b fc 10 30 51 72 b9 d0 89 7e ab 2c f9 6b cc 3e 38 d3 9d 16 9b 97 cd 65 4b 45 e3 ae 66 b4 35 31 0b 0d 14 c0 5f 4d 02 62 eb fc 0d 45 dd 66 7f 0c 4f 72 28 02 e5 5e bd 1c 8c 70 1d cd c6 77 c1 15 09 1b b7 2c f5 74 d5 fb ed ca 24 2d 3d e0 c7 a3 70 26 4f dc f0 7d 27 98 9f e8 47 e0 be ff 79 28 a1 6f 27 28 71 34 7f 2b ed 0f e2 59 11 e4 8f 7b 57 05 95 98 d3 24 38 98 7c 70 f6 fa ea cb a0 b2 0d a2 50 9f 67 d2 53 3b 8d a1 57 11 94 73 45 f8 cf 53 21 17 5d 36 96 e1 23 ea 0c 0a f8 65 d1 e9 78 88 f0 9f 64 0e c8 32 70 fb 8a f7 81 6d 6e 2e 5b 6c 53 51 da ab 2f d7 6d c8 21 62 10 0e 0d 11 19 76 b3 6c dd 99 67 9c 69 49 d8 5d e7 8e 12 f6 b2 1d 69 18 d8 90 45 bf 22 2e e4 2e ea 22 c4 c9 4e 35 18 8b c9 94 95 0e 47 c4 b0 e7 23 fd cc 18 75 18 16 b7 57 3a 98 84 6a c7 ac 78 c4 b8 68 fe a7 a4 15 d8 b9 df 9f 6a 12 a6 e8 4b 62 33 18 17 08 19 6e 30 f6 eb 4b c0 37 ab b0 ea 7e 35 7d 8b 9e b6 21 67 a2 9a a0 4d 85 f5 65 e1 08 e6 8c 0f c6 95 ec c8 eb 6a 55 d6 8d 8e e5 58 92 1e fe 11 55 37 2b 25 51 27 93 8e fe db e7 f0 3d 74 ae 77 9e 72 90 52 44 d8 fc fc c7 93 d3 26 45 7a d6 66 e4 9d f2 66 f6 42 32 3a 9d 08 24 bd 23 c6 bc 47 38 5e 85 28 08 11 5a bd 41 0d 0d 92 aa 9f d2 eb d0 65 4b f0 0e 2f b4 8d 4b bb d2 51 2c 04 a7 c3 75 bf fa 2b bc 01 52 13 3c a7 e2 89 b4 8a 1d fd eb cd 11 de 48 4d cd b2 d5 11 90 3e 6b 61 f0 b6 c7 40 a3 21 ce 05 16 a2 91 d9 49 a8 fb 6b 3f f0 98 ab f8 a4 4f e8 a7 2f 0e 6f 8c 72 41 a9 58 78 52 4b ef bc 38 f0 82 Data Ascii: ]qm<;!=UV*H\;{ SGVTpDYf23OD55qn,MB|\(NVq.?0~EpK^k?D'tc:*]Y>W{La-_k1x4R!N`<IV!Jh$PwpuJx:*L<}]]+}Q.7^K[UJ>O_`D@m5R|Kj

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /hywpyx?usid=19&utid=21370373423 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.przvgke.biz
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /sgkfwupywmxx?usid=19&utid=21370402741 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.fwiwk.biz

Source: global traffic	DNS traffic detected: DNS query: pywolwnvd.biz
Source: global traffic	DNS traffic detected: DNS query: ssbzmoy.biz
Source: global traffic	DNS traffic detected: DNS query: cvgrf.biz
Source: global traffic	DNS traffic detected: DNS query: npukfztj.biz
Source: global traffic	DNS traffic detected: DNS query: przvgke.biz
Source: global traffic	DNS traffic detected: DNS query: ww12.przvgke.biz
Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: zlenh.biz
Source: global traffic	DNS traffic detected: DNS query: knjghuig.biz
Source: global traffic	DNS traffic detected: DNS query: uhxqin.biz
Source: global traffic	DNS traffic detected: DNS query: mail.xma0.com
Source: global traffic	DNS traffic detected: DNS query: anpmnmxo.biz
Source: global traffic	DNS traffic detected: DNS query: lpuegx.biz
Source: global traffic	DNS traffic detected: DNS query: vjaxhpbji.biz
Source: global traffic	DNS traffic detected: DNS query: xlfhhhm.biz
Source: global traffic	DNS traffic detected: DNS query: ifsaia.biz
Source: global traffic	DNS traffic detected: DNS query: saytjshyf.biz
Source: global traffic	DNS traffic detected: DNS query: vcddkls.biz
Source: global traffic	DNS traffic detected: DNS query: fwiwk.biz
Source: global traffic	DNS traffic detected: DNS query: ww12.fwiwk.biz
Source: global traffic	DNS traffic detected: DNS query: tbjrpv.biz
Source: global traffic	DNS traffic detected: DNS query: deoci.biz
Source: global traffic	DNS traffic detected: DNS query: gytujflc.biz
Source: global traffic	DNS traffic detected: DNS query: qaynky.biz
Source: global traffic	DNS traffic detected: DNS query: bumxkqgxu.biz
Source: global traffic	DNS traffic detected: DNS query: dwrqljrr.biz
Source: global traffic	DNS traffic detected: DNS query: nqwjmb.biz
Source: global traffic	DNS traffic detected: DNS query: ytctnunms.biz
Source: global traffic	DNS traffic detected: DNS query: myups.biz
Source: global traffic	DNS traffic detected: DNS query: oshhkdluh.biz
Source: global traffic	DNS traffic detected: DNS query: yunalwv.biz
Source: global traffic	DNS traffic detected: DNS query: jpskm.biz
Source: global traffic	DNS traffic detected: DNS query: lrxdmhrr.biz
Source: global traffic	DNS traffic detected: DNS query: wllvnzb.biz
Source: global traffic	DNS traffic detected: DNS query: gnqgo.biz
Source: global traffic	DNS traffic detected: DNS query: jhvzpcfg.biz
Source: global traffic	DNS traffic detected: DNS query: acwjcqqv.biz
Source: global traffic	DNS traffic detected: DNS query: lejtdj.biz
Source: global traffic	DNS traffic detected: DNS query: vyome.biz
Source: global traffic	DNS traffic detected: DNS query: yauexmxk.biz
Source: global traffic	DNS traffic detected: DNS query: iuzpxe.biz
Source: global traffic	DNS traffic detected: DNS query: sxmiywsfv.biz
Source: global traffic	DNS traffic detected: DNS query: vrrazpdh.biz
Source: global traffic	DNS traffic detected: DNS query: ftxlah.biz
Source: global traffic	DNS traffic detected: DNS query: typgfhb.biz

Source: unknown

HTTP traffic detected: POST /ctbckavixptmbr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 842

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Mon, 24 Mar 2025 13:44:16 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error pag
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Mon, 24 Mar 2025 13:44:16 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error pag
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Mon, 24 Mar 2025 13:44:21 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error pag
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Mon, 24 Mar 2025 13:44:21 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error pag

Source: alg.exe, 00000004.00000003.904170083.000000000062F000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.905875973.000000000062F000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.1173663575.00000000005F1000.00000004.00000020.00020000.00000000.sdmp, carryover.exe, 00000006.00000002.920896517.0000000000B38000.00000004.00000020.00020000.00000000.sdmp, carryover.exe, 00000006.00000002.921229374.0000000000C3D000.00000004.00000020.00020000.00000000.sdmp, carryover.exe, 0000000D.00000002.1026508197.0000000000DFB000.00000004.00000020.00020000.00000000.sdmp, carryover.exe, 00000010.00000002.1044093494.0000000000B6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/
Source: carryover.exe, 00000010.00000002.1044093494.0000000000B6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/#79
Source: carryover.exe, 00000006.00000002.921229374.0000000000C3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/D
Source: carryover.exe, 0000000D.00000002.1026508197.0000000000DFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/S
Source: carryover.exe, 0000000D.00000002.1026508197.0000000000DFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/d
Source: carryover.exe, 00000003.00000002.897217661.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/dHJzp
Source: carryover.exe, 00000003.00000002.897217661.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/gJ
Source: carryover.exe, 00000006.00000002.921229374.0000000000C3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/h
Source: carryover.exe, 00000006.00000002.920896517.0000000000B8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/mkxnxjhbyb
Source: carryover.exe, 00000006.00000002.921229374.0000000000C25000.00000004.00000020.00020000.00000000.sdmp, carryover.exe, 00000006.00000002.920896517.0000000000B8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/mkxnxjhbybe
Source: alg.exe, 00000004.00000003.904170083.000000000062F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/ngs
Source: carryover.exe, 00000010.00000002.1044093494.0000000000B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/nodjrmsresfqy
Source: carryover.exe, 00000010.00000002.1044093494.0000000000B6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/nodjrmsresfqys
Source: carryover.exe, 00000010.00000002.1044093494.0000000000B6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/p0
Source: carryover.exe, 00000006.00000002.921229374.0000000000C3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/q
Source: alg.exe, 00000004.00000003.953993845.0000000000648000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/rn
Source: alg.exe, 00000004.00000003.953993845.0000000000648000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/rn:
Source: carryover.exe, 00000003.00000002.897217661.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, carryover.exe, 00000003.00000002.895962962.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/uroydaa
Source: carryover.exe, 00000003.00000002.895962962.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/uroydaal
Source: alg.exe, 00000004.00000003.905875973.0000000000648000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.906101921.0000000000655000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.904170083.0000000000648000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/uvvrveofayh
Source: carryover.exe, 0000000D.00000002.1026508197.0000000000DFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/vswkejgamcvhnxcr
Source: carryover.exe, 0000000D.00000002.1026508197.0000000000E08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/vswkejgamcvhnxcr3
Source: carryover.exe, 0000000D.00000002.1026508197.0000000000DFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/vswkejgamcvhnxcrj
Source: carryover.exe, 00000003.00000002.897217661.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/yJ
Source: carryover.exe, 00000006.00000002.921229374.0000000000C50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196:80/mkxnxjhbyb
Source: carryover.exe, 00000010.00000002.1044093494.0000000000B54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196:80/nodjrmsresfqy
Source: alg.exe, 00000004.00000003.953718062.0000000000674000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196:80/rn
Source: carryover.exe, 00000003.00000002.897217661.0000000000D11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196:80/uroydaa
Source: alg.exe, 00000004.00000003.904170083.0000000000628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196:80/uvvrveofayh
Source: carryover.exe, 0000000D.00000002.1026508197.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196:80/vswkejgamcvhnxcr
Source: alg.exe, 00000004.00000003.922597959.000000000062F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.229.117.57/
Source: alg.exe, 00000004.00000003.922597959.0000000000648000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.229.117.57/a
Source: alg.exe, 00000004.00000003.933185732.000000000062F000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.922597959.000000000062F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.229.117.57/ad
Source: alg.exe, 00000004.00000003.922597959.000000000062F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.229.117.57/ngs0=
Source: alg.exe, 00000004.00000003.922597959.0000000000628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.229.117.57:80/ab0
Source: alg.exe, 00000004.00000003.912605706.000000000062F000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.891637073.000000000062F000.00000004.00000020.00020000.00000000.sdmp, carryover.exe, 00000006.00000002.920896517.0000000000B38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/
Source: alg.exe, 00000004.00000003.891637073.000000000062F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/0=
Source: carryover.exe, 0000000D.00000002.1025952229.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/5
Source: carryover.exe, 00000003.00000002.895962962.0000000000C38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/Jl
Source: carryover.exe, 00000010.00000002.1043070932.0000000000A78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/Y#b
Source: carryover.exe, 00000003.00000002.895962962.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/ctbckavixptmbr
Source: carryover.exe, 00000003.00000002.897217661.0000000000D37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/ctbckavixptmbrP
Source: carryover.exe, 00000003.00000002.895962962.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/ctbckavixptmbrs
Source: carryover.exe, 00000006.00000002.920896517.0000000000B8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/fjbxgvrfxmoy
Source: carryover.exe, 00000006.00000002.920896517.0000000000B8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/fjbxgvrfxmoyg_
Source: alg.exe, 00000004.00000003.912605706.000000000062F000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.912605706.0000000000648000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.919756326.0000000000655000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/fvsaltcygk
Source: carryover.exe, 0000000D.00000002.1026508197.0000000000E08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/jexgqy
Source: alg.exe, 00000004.00000003.912605706.000000000062F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/pRe
Source: POP_Swift_Copy_MTC78362-N70002.exe, 00000000.00000002.870277522.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, POP_Swift_Copy_MTC78362-N70002.exe, 00000000.00000002.870277522.0000000000B51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/t
Source: alg.exe, 00000004.00000003.891553928.000000000064E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.904170083.000000000062F000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.892797606.000000000064B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.891637073.000000000062F000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.892866836.0000000000655000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.905875973.000000000062F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/wvmmm
Source: carryover.exe, 00000003.00000002.897217661.0000000000D37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239:80/ctbckavixptmbr
Source: alg.exe, 00000004.00000003.912605706.0000000000628000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.922597959.0000000000628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239:80/fvsaltcygk
Source: carryover.exe, 0000000D.00000002.1026508197.0000000000E08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239:80/jexgqy
Source: alg.exe, 00000004.00000003.891637073.0000000000628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239:80/wvmmmSW
Source: alg.exe, 00000004.00000003.933185732.000000000062F000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.953993845.000000000062F000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.1172332176.000000000062F000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.1385407354.000000000062F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://72.52.178.23/hywpyx
Source: alg.exe, 00000004.00000003.1172332176.0000000000628000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.1385407354.0000000000628000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.953993845.0000000000628000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.933185732.0000000000628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://72.52.178.23:80/hywpyx
Source: alg.exe, 00000004.00000003.1385407354.000000000062F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/
Source: alg.exe, 00000004.00000003.1385407354.000000000062F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/0=
Source: alg.exe, 00000004.00000003.1172332176.000000000062F000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.1385407354.000000000062F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/8=h
Source: alg.exe, 00000004.00000003.1386603542.00000000005FF000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.1385407354.0000000000628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/bvccptqwlhjsjgo
Source: alg.exe, 00000004.00000003.1172332176.000000000062F000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.1385407354.000000000062F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/rdnr
Source: alg.exe, 00000004.00000003.1173663575.00000000005FF000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.1172332176.0000000000628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/trdnr
Source: alg.exe, 00000004.00000003.1385407354.000000000062F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/xTb
Source: alg.exe, 00000004.00000003.1384981931.0000000000679000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.1391144062.0000000000679000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.1386055318.0000000000679000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197:80/bvccptqwlhjsjgo
Source: alg.exe, 00000004.00000003.1172118599.0000000000674000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197:80/trdnr
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: Origin_rawfile.exe, 00000009.00000002.2158193336.00000000031A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: RegSvcs.exe, 00000008.00000002.939369508.0000000003F69000.00000004.00000800.00020000.00000000.sdmp, Origin_rawfile.exe, 00000009.00000002.2158193336.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, Origin_rawfile.exe, 00000009.00000000.924376846.0000000000D92000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: alg.exe, 00000004.00000003.1173663575.00000000005F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://knjghuig.biz/
Source: Origin_rawfile.exe, 00000009.00000002.2158193336.00000000034C6000.00000004.00000800.00020000.00000000.sdmp, Origin_rawfile.exe, 00000009.00000002.2158193336.000000000323A000.00000004.00000800.00020000.00000000.sdmp, Origin_rawfile.exe, 00000009.00000002.2158193336.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Origin_rawfile.exe, 00000009.00000002.2158193336.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, Origin_rawfile.exe, 00000009.00000002.2158193336.0000000003428000.00000004.00000800.00020000.00000000.sdmp, Origin_rawfile.exe, 00000009.00000002.2158193336.0000000003334000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.xma0.com
Source: carryover.exe, 00000003.00000002.895962962.0000000000C38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pywolwnvd.biz/
Source: carryover.exe, 00000006.00000002.920896517.0000000000B38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pywolwnvd.biz/#8
Source: Origin_rawfile.exe, 00000009.00000002.2130174795.0000000001434000.00000004.00000020.00020000.00000000.sdmp, Origin_rawfile.exe, 00000009.00000002.2158193336.00000000034C6000.00000004.00000800.00020000.00000000.sdmp, Origin_rawfile.exe, 00000009.00000002.2189565431.0000000008DB0000.00000004.00000020.00020000.00000000.sdmp, Origin_rawfile.exe, 00000009.00000002.2158193336.000000000323A000.00000004.00000800.00020000.00000000.sdmp, Origin_rawfile.exe, 00000009.00000002.2158193336.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Origin_rawfile.exe, 00000009.00000002.2158193336.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, Origin_rawfile.exe, 00000009.00000002.2189565431.0000000008DC2000.00000004.00000020.00020000.00000000.sdmp, Origin_rawfile.exe, 00000009.00000002.2158193336.0000000003428000.00000004.00000800.00020000.00000000.sdmp, Origin_rawfile.exe, 00000009.00000002.2158193336.0000000003334000.00000004.00000800.00020000.00000000.sdmp, Origin_rawfile.exe, 00000009.00000002.2177358060.0000000006A00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r10.i.lencr.org/0
Source: Origin_rawfile.exe, 00000009.00000002.2130174795.0000000001434000.00000004.00000020.00020000.00000000.sdmp, Origin_rawfile.exe, 00000009.00000002.2158193336.00000000034C6000.00000004.00000800.00020000.00000000.sdmp, Origin_rawfile.exe, 00000009.00000002.2189565431.0000000008DB0000.00000004.00000020.00020000.00000000.sdmp, Origin_rawfile.exe, 00000009.00000002.2158193336.000000000323A000.00000004.00000800.00020000.00000000.sdmp, Origin_rawfile.exe, 00000009.00000002.2158193336.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Origin_rawfile.exe, 00000009.00000002.2158193336.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, Origin_rawfile.exe, 00000009.00000002.2189565431.0000000008DC2000.00000004.00000020.00020000.00000000.sdmp, Origin_rawfile.exe, 00000009.00000002.2158193336.0000000003428000.00000004.00000800.00020000.00000000.sdmp, Origin_rawfile.exe, 00000009.00000002.2158193336.0000000003334000.00000004.00000800.00020000.00000000.sdmp, Origin_rawfile.exe, 00000009.00000002.2177358060.0000000006A00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r10.o.lencr.org0#
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: Origin_rawfile.exe, 00000009.00000002.2158193336.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/D
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: build.exe, 0000000A.00000002.1309475131.0000000002839000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: build.exe, 0000000A.00000002.1309475131.000000000284D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000A.00000002.1309475131.0000000002839000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: build.exe, 0000000A.00000002.1309475131.000000000284D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: build.exe, 0000000A.00000002.1309475131.00000000026B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: build.exe, 0000000A.00000002.1309475131.000000000284D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: build.exe, 0000000A.00000002.1309475131.000000000284D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: build.exe, 0000000A.00000002.1309475131.000000000284D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: build.exe, 0000000A.00000002.1309475131.0000000002859000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: build.exe, 0000000A.00000002.1309475131.0000000002859000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000A.00000002.1309475131.000000000284D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: build.exe, 0000000A.00000002.1309475131.0000000002859000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: build.exe, 0000000A.00000002.1309475131.0000000002612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: build.exe, 0000000A.00000002.1309475131.000000000284D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: build.exe, 0000000A.00000002.1309475131.0000000002620000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9
Source: build.exe, 0000000A.00000002.1309475131.0000000002531000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: build.exe, 0000000A.00000002.1309475131.0000000002620000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
Source: alg.exe, 00000004.00000003.1172332176.0000000000648000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.1386279208.000000000065D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.933185732.000000000065D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.1385407354.0000000000648000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.953993845.000000000065D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.936550043.000000000065D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.953718062.000000000066C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.1173388409.000000000065D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.959643423.0000000000674000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.1172118599.000000000066C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.953718062.0000000000674000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.933185732.0000000000648000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.953993845.0000000000648000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.1384981931.000000000066C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.1391030652.0000000000669000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.933090862.0000000000674000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.959643423.0000000000669000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.936430649.000000000066D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.933090862.000000000066C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww12.przvgke.biz/hywpyx?usid=19&utid=21370373423
Source: alg.exe, 00000004.00000003.1172332176.0000000000648000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.1385407354.0000000000648000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.933185732.0000000000648000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.953993845.0000000000648000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww12.przvgke.biz/hywpyx?usid=19&utid=21370373423LocationETagAuthentication-InfoAgeAccept-Rang
Source: alg.exe, 00000004.00000003.1172332176.0000000000628000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.1385407354.0000000000628000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.953993845.0000000000628000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.933185732.0000000000628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww12.przvgke.biz:80/hywpyx?usid=19&utid=21370373423PMT
Source: alg.exe, 00000004.00000003.1111601508.0000000001590000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: Origin_rawfile.exe, 00000009.00000002.2130174795.0000000001434000.00000004.00000020.00020000.00000000.sdmp, Origin_rawfile.exe, 00000009.00000002.2158193336.00000000034C6000.00000004.00000800.00020000.00000000.sdmp, Origin_rawfile.exe, 00000009.00000002.2189565431.0000000008DB0000.00000004.00000020.00020000.00000000.sdmp, Origin_rawfile.exe, 00000009.00000002.2158193336.000000000323A000.00000004.00000800.00020000.00000000.sdmp, Origin_rawfile.exe, 00000009.00000002.2158193336.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Origin_rawfile.exe, 00000009.00000002.2158193336.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, Origin_rawfile.exe, 00000009.00000002.2189565431.0000000008DC2000.00000004.00000020.00020000.00000000.sdmp, Origin_rawfile.exe, 00000009.00000002.2158193336.0000000003428000.00000004.00000800.00020000.00000000.sdmp, Origin_rawfile.exe, 00000009.00000002.2158193336.0000000003334000.00000004.00000800.00020000.00000000.sdmp, Origin_rawfile.exe, 00000009.00000002.2177358060.0000000006A00000.00000004.00000020.00020000.00000000.sdmp, Origin_rawfile.exe, 00000009.00000002.2177358060.00000000069DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: Origin_rawfile.exe, 00000009.00000002.2130174795.0000000001434000.00000004.00000020.00020000.00000000.sdmp, Origin_rawfile.exe, 00000009.00000002.2158193336.00000000034C6000.00000004.00000800.00020000.00000000.sdmp, Origin_rawfile.exe, 00000009.00000002.2189565431.0000000008DB0000.00000004.00000020.00020000.00000000.sdmp, Origin_rawfile.exe, 00000009.00000002.2158193336.000000000323A000.00000004.00000800.00020000.00000000.sdmp, Origin_rawfile.exe, 00000009.00000002.2158193336.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Origin_rawfile.exe, 00000009.00000002.2158193336.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, Origin_rawfile.exe, 00000009.00000002.2189565431.0000000008DC2000.00000004.00000020.00020000.00000000.sdmp, Origin_rawfile.exe, 00000009.00000002.2158193336.0000000003428000.00000004.00000800.00020000.00000000.sdmp, Origin_rawfile.exe, 00000009.00000002.2158193336.0000000003334000.00000004.00000800.00020000.00000000.sdmp, Origin_rawfile.exe, 00000009.00000002.2177358060.0000000006A00000.00000004.00000020.00020000.00000000.sdmp, Origin_rawfile.exe, 00000009.00000002.2177358060.00000000069DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: Origin_rawfile.exe, 00000009.00000002.2158193336.00000000034C6000.00000004.00000800.00020000.00000000.sdmp, Origin_rawfile.exe, 00000009.00000002.2158193336.000000000323A000.00000004.00000800.00020000.00000000.sdmp, Origin_rawfile.exe, 00000009.00000002.2158193336.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Origin_rawfile.exe, 00000009.00000002.2158193336.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, Origin_rawfile.exe, 00000009.00000002.2158193336.0000000003428000.00000004.00000800.00020000.00000000.sdmp, Origin_rawfile.exe, 00000009.00000002.2158193336.0000000003334000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xma0.com
Source: RegSvcs.exe, 00000008.00000002.939369508.0000000003F69000.00000004.00000800.00020000.00000000.sdmp, Origin_rawfile.exe, 00000009.00000000.924376846.0000000000D92000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://account.dyn.com/
Source: RegSvcs.exe, 00000008.00000002.939369508.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.939369508.00000000040E7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.939369508.0000000003F69000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000A.00000000.925962537.0000000000102000.00000002.00000001.01000000.00000009.sdmp, build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: alg.exe, 00000004.00000003.1147512737.0000000001590000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxFailed
Source: alg.exe, 00000004.00000003.1148000208.0000000001590000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000004.00000003.1148163213.0000000001590000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxHKEY_LOCAL_MACHINE

Key, Mouse, Clipboard, Microphone and Screen Capturing

Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe

Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe

Code function: 0_2_00402344 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,

0_2_00402344

Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe

Code function: 0_2_0048CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0048CABC

System Summary

Source: 8.2.RegSvcs.exe.40efe90.2.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 8.2.RegSvcs.exe.3fa53c0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 8.2.RegSvcs.exe.3fa53c0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.carryover.exe.4100000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 16.2.carryover.exe.3fb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 8.2.RegSvcs.exe.3fe15f0.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 10.0.build.exe.100000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 13.2.carryover.exe.3fb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 8.2.RegSvcs.exe.401d810.7.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 8.2.RegSvcs.exe.401d810.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.RegSvcs.exe.3e35570.6.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 8.2.RegSvcs.exe.401d810.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.RegSvcs.exe.3e35570.6.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 9.0.Origin_rawfile.exe.d90000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.carryover.exe.3f60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 8.2.RegSvcs.exe.3fe15f0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 8.2.RegSvcs.exe.3fe15f0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.RegSvcs.exe.3fa53c0.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.RegSvcs.exe.40efe90.2.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000008.00000002.927279385.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000D.00000002.1028050247.0000000003FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000010.00000002.1046055839.0000000003FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000006.00000002.922580618.0000000003F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000003.00000002.900016848.0000000004100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPED	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe, type: DROPPED	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Source: POP_Swift_Copy_MTC78362-N70002.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: POP_Swift_Copy_MTC78362-N70002.exe, 00000000.00000000.855293180.00000000004B4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.		memstr_c52a4a7d-5
Source: POP_Swift_Copy_MTC78362-N70002.exe, 00000000.00000000.855293180.00000000004B4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`		memstr_7213ea80-9
Source: POP_Swift_Copy_MTC78362-N70002.exe, 00000000.00000003.867434515.00000000042E3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.		memstr_10aabad3-e
Source: POP_Swift_Copy_MTC78362-N70002.exe, 00000000.00000003.867434515.00000000042E3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`		memstr_a45f67fb-5
Source: carryover.exe, 00000003.00000002.894767763.00000000004B4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.		memstr_ebc8e207-8
Source: carryover.exe, 00000003.00000002.894767763.00000000004B4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`		memstr_72929ccb-b
Source: carryover.exe, 00000006.00000002.920431285.00000000004B4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.		memstr_41416de3-c
Source: carryover.exe, 00000006.00000002.920431285.00000000004B4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`		memstr_45e5bed0-b
Source: carryover.exe, 0000000D.00000000.992073157.00000000004B4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.		memstr_916b7614-e
Source: carryover.exe, 0000000D.00000000.992073157.00000000004B4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`		memstr_8393fa4a-e
Source: carryover.exe, 00000010.00000000.1020522473.00000000004B4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.		memstr_0095236d-d
Source: carryover.exe, 00000010.00000000.1020522473.00000000004B4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`		memstr_f2517ab6-4

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Source: C:\Windows\System32\alg.exe

File created: C:\Windows\system32\config\systemprofile\AppData\Roaming\c277c4d4e5834a36.bin

Jump to behavior

Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_0040FD49		0_2_0040FD49
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_00413030		0_2_00413030
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_004221C5		0_2_004221C5
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_0042F1D9		0_2_0042F1D9
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_00423187		0_2_00423187
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_004362D2		0_2_004362D2
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_0043242E		0_2_0043242E
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_00421484		0_2_00421484
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_00415520		0_2_00415520
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_004225FA		0_2_004225FA
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_00427696		0_2_00427696
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_00415760		0_2_00415760
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_0043878F		0_2_0043878F
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_00436844		0_2_00436844
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_00418808		0_2_00418808
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_00421978		0_2_00421978
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_0040192B		0_2_0040192B
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_0042CB21		0_2_0042CB21
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_00487DDB		0_2_00487DDB
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_00421D90		0_2_00421D90
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_0042BDA6		0_2_0042BDA6
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_00436DB6		0_2_00436DB6
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_00B422D0		0_2_00B422D0
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_0172515C		0_2_0172515C
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_016E51EE		0_2_016E51EE
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_017239A3		0_2_017239A3
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_016E6EAF		0_2_016E6EAF
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_01715980		0_2_01715980
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_017200D9		0_2_017200D9
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_016E7B71		0_2_016E7B71
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_0171D580		0_2_0171D580
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_0171C7F0		0_2_0171C7F0
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_016E7F80		0_2_016E7F80
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_01713780		0_2_01713780
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 3_2_00AE39A3		3_2_00AE39A3
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 3_2_00AD5980		3_2_00AD5980
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 3_2_00AA6EAF		3_2_00AA6EAF
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 3_2_00AA51EE		3_2_00AA51EE
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 3_2_00ADD580		3_2_00ADD580
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 3_2_00AA7F80		3_2_00AA7F80
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 3_2_00AD3780		3_2_00AD3780
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 3_2_00ADC7F0		3_2_00ADC7F0
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 3_2_00D0D628		3_2_00D0D628
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 6_2_00C21638		6_2_00C21638
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 6_2_02FB51EE		6_2_02FB51EE
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 6_2_02FF39A3		6_2_02FF39A3
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 6_2_02FB6EAF		6_2_02FB6EAF
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 6_2_02FE5980		6_2_02FE5980
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 6_2_02FEC7F0		6_2_02FEC7F0
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 6_2_02FB7F80		6_2_02FB7F80
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 6_2_02FE3780		6_2_02FE3780
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 6_2_02FED580		6_2_02FED580
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 7_2_0099CA20		7_2_0099CA20
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 7_2_0099AA63		7_2_0099AA63
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 7_2_00998789		7_2_00998789
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 7_2_009BA810		7_2_009BA810
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 7_2_009979F0		7_2_009979F0
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 7_2_009B92A0		7_2_009B92A0
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 7_2_009B93B0		7_2_009B93B0
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 7_2_00997C00		7_2_00997C00
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 7_2_009C2D40		7_2_009C2D40
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 7_2_009BEEB0		7_2_009BEEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00408C60		8_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0040DC11		8_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00407C3F		8_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00418CCC		8_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00406CA0		8_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_004028B0		8_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0041A4BE		8_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00418244		8_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00401650		8_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00402F20		8_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_004193C4		8_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00418788		8_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00402F89		8_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00402B90		8_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_004073A0		8_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_029612CA		8_2_029612CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_02960FE0		8_2_02960FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_02961030		8_2_02961030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_029612EA		8_2_029612EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0296133F		8_2_0296133F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_02961321		8_2_02961321
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_02961362		8_2_02961362
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Code function: 9_2_031041F0		9_2_031041F0
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Code function: 9_2_0310EB68		9_2_0310EB68
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Code function: 9_2_03104AC0		9_2_03104AC0
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Code function: 9_2_03103EA8		9_2_03103EA8
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Code function: 9_2_0310AD21		9_2_0310AD21
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Code function: 9_2_06C765B0		9_2_06C765B0
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Code function: 9_2_06C77D38		9_2_06C77D38
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Code function: 9_2_06C73050		9_2_06C73050
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Code function: 9_2_06C7B1EA		9_2_06C7B1EA
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Code function: 9_2_06C75190		9_2_06C75190
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Code function: 9_2_06C7C148		9_2_06C7C148
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Code function: 9_2_06C77658		9_2_06C77658
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Code function: 9_2_06C7E360		9_2_06C7E360
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Code function: 9_2_06C7589F		9_2_06C7589F
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Code function: 9_2_06C70040		9_2_06C70040
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Code function: 9_2_06C70007		9_2_06C70007
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 10_2_0247DC74		10_2_0247DC74
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 10_2_04FC96C8		10_2_04FC96C8
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 10_2_04FC7660		10_2_04FC7660
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 10_2_04FCB170		10_2_04FCB170
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 10_2_04FCB9E8		10_2_04FCB9E8
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 10_2_04FC6928		10_2_04FC6928
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 11_2_015D2D40		11_2_015D2D40
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 11_2_015A79F0		11_2_015A79F0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 11_2_015CA810		11_2_015CA810
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 11_2_015A7C00		11_2_015A7C00
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 11_2_015C93B0		11_2_015C93B0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 11_2_015CEEB0		11_2_015CEEB0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 11_2_015C92A0		11_2_015C92A0
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 13_2_00B139A3		13_2_00B139A3
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 13_2_00AD6EAF		13_2_00AD6EAF
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 13_2_00B05980		13_2_00B05980
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 13_2_00AD51EE		13_2_00AD51EE
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 13_2_00B0D580		13_2_00B0D580
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 13_2_00AD7F80		13_2_00AD7F80
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 13_2_00B03780		13_2_00B03780
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 13_2_00B0C7F0		13_2_00B0C7F0
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 13_2_00DDDDF8		13_2_00DDDDF8
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 16_2_00B50618		16_2_00B50618
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 16_2_013739A3		16_2_013739A3
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 16_2_01336EAF		16_2_01336EAF
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 16_2_01365980		16_2_01365980
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 16_2_013351EE		16_2_013351EE
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 16_2_0136D580		16_2_0136D580
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 16_2_01337F80		16_2_01337F80
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 16_2_01363780		16_2_01363780
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 16_2_0136C7F0		16_2_0136C7F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_02D11030		17_2_02D11030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_02D11021		17_2_02D11021
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_056305E8		17_2_056305E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 17_2_056305F8		17_2_056305F8
Source: C:\Windows\System32\AppVClient.exe	Code function: 28_2_00BBA810		28_2_00BBA810
Source: C:\Windows\System32\AppVClient.exe	Code function: 28_2_00B97C00		28_2_00B97C00
Source: C:\Windows\System32\AppVClient.exe	Code function: 28_2_00B979F0		28_2_00B979F0
Source: C:\Windows\System32\AppVClient.exe	Code function: 28_2_00BC2D40		28_2_00BC2D40
Source: C:\Windows\System32\AppVClient.exe	Code function: 28_2_00BBEEB0		28_2_00BBEEB0
Source: C:\Windows\System32\AppVClient.exe	Code function: 28_2_00BB92A0		28_2_00BB92A0
Source: C:\Windows\System32\AppVClient.exe	Code function: 28_2_00BB93B0		28_2_00BB93B0
Source: C:\Windows\System32\FXSSVC.exe	Code function: 32_2_00D4A810		32_2_00D4A810
Source: C:\Windows\System32\FXSSVC.exe	Code function: 32_2_00D27C00		32_2_00D27C00
Source: C:\Windows\System32\FXSSVC.exe	Code function: 32_2_00D279F0		32_2_00D279F0
Source: C:\Windows\System32\FXSSVC.exe	Code function: 32_2_00D52D40		32_2_00D52D40
Source: C:\Windows\System32\FXSSVC.exe	Code function: 32_2_00D4EEB0		32_2_00D4EEB0
Source: C:\Windows\System32\FXSSVC.exe	Code function: 32_2_00D492A0		32_2_00D492A0
Source: C:\Windows\System32\FXSSVC.exe	Code function: 32_2_00D493B0		32_2_00D493B0
Source: C:\Windows\System32\msdtc.exe	Code function: 33_2_00CB7C00		33_2_00CB7C00
Source: C:\Windows\System32\msdtc.exe	Code function: 33_2_00CDA810		33_2_00CDA810
Source: C:\Windows\System32\msdtc.exe	Code function: 33_2_00CB79F0		33_2_00CB79F0
Source: C:\Windows\System32\msdtc.exe	Code function: 33_2_00CE2D40		33_2_00CE2D40
Source: C:\Windows\System32\msdtc.exe	Code function: 33_2_00CD92A0		33_2_00CD92A0
Source: C:\Windows\System32\msdtc.exe	Code function: 33_2_00CDEEB0		33_2_00CDEEB0
Source: C:\Windows\System32\msdtc.exe	Code function: 33_2_00CD93B0		33_2_00CD93B0
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Code function: 34_2_00BEA810		34_2_00BEA810
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Code function: 34_2_00BC7C00		34_2_00BC7C00
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Code function: 34_2_00BC79F0		34_2_00BC79F0
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Code function: 34_2_00BF2D40		34_2_00BF2D40
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Code function: 34_2_00BEEEB0		34_2_00BEEEB0
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Code function: 34_2_00BE92A0		34_2_00BE92A0
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Code function: 34_2_00BE93B0		34_2_00BE93B0
Source: C:\Windows\System32\Locator.exe	Code function: 36_2_0071A810		36_2_0071A810
Source: C:\Windows\System32\Locator.exe	Code function: 36_2_006F7C00		36_2_006F7C00
Source: C:\Windows\System32\Locator.exe	Code function: 36_2_00722D40		36_2_00722D40
Source: C:\Windows\System32\Locator.exe	Code function: 36_2_006F79F0		36_2_006F79F0
Source: C:\Windows\System32\Locator.exe	Code function: 36_2_0071EEB0		36_2_0071EEB0
Source: C:\Windows\System32\Locator.exe	Code function: 36_2_007192A0		36_2_007192A0
Source: C:\Windows\System32\Locator.exe	Code function: 36_2_007193B0		36_2_007193B0
Source: C:\Windows\System32\SensorDataService.exe	Code function: 37_2_0075A810		37_2_0075A810
Source: C:\Windows\System32\SensorDataService.exe	Code function: 37_2_00737C00		37_2_00737C00
Source: C:\Windows\System32\SensorDataService.exe	Code function: 37_2_00762D40		37_2_00762D40
Source: C:\Windows\System32\SensorDataService.exe	Code function: 37_2_007379F0		37_2_007379F0
Source: C:\Windows\System32\SensorDataService.exe	Code function: 37_2_0075EEB0		37_2_0075EEB0
Source: C:\Windows\System32\SensorDataService.exe	Code function: 37_2_007592A0		37_2_007592A0
Source: C:\Windows\System32\SensorDataService.exe	Code function: 37_2_007593B0		37_2_007593B0
Source: C:\Windows\System32\snmptrap.exe	Code function: 38_2_0076A810		38_2_0076A810
Source: C:\Windows\System32\snmptrap.exe	Code function: 38_2_00747C00		38_2_00747C00
Source: C:\Windows\System32\snmptrap.exe	Code function: 38_2_00772D40		38_2_00772D40
Source: C:\Windows\System32\snmptrap.exe	Code function: 38_2_007479F0		38_2_007479F0
Source: C:\Windows\System32\snmptrap.exe	Code function: 38_2_0076EEB0		38_2_0076EEB0
Source: C:\Windows\System32\snmptrap.exe	Code function: 38_2_007692A0		38_2_007692A0
Source: C:\Windows\System32\snmptrap.exe	Code function: 38_2_007693B0		38_2_007693B0

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Process token adjusted: Load Driver

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Process token adjusted: Security

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0040E1D8 appears 44 times
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: String function: 00428900 appears 38 times

Source: updater.exe0.4.dr	Static PE information: Resource name: RT_STRING type: CLIPPER COFF executable (VAX #) not stripped - version 71
Source: Acrobat.exe.4.dr	Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: SingleClientServicesUpdater.exe.4.dr	Static PE information: Resource name: 7Z type: 7-zip archive data, version 0.4
Source: OneDriveSetup.exe.4.dr	Static PE information: Resource name: PAYLOAD type: Microsoft Cabinet archive data, many, 47694794 bytes, 767 files, at 0x44 +A "adal.dll" +A "alertIcon.png", flags 0x4, number 1, extra bytes 20 in head, 6100 datablocks, 0x1503 compression
Source: SingleClientServicesUpdater.exe0.4.dr	Static PE information: Resource name: 7Z type: 7-zip archive data, version 0.4

Source: elevation_service.exe.4.dr	Static PE information: Number of sections : 12 > 10
Source: pwahelper.exe.4.dr	Static PE information: Number of sections : 12 > 10
Source: ie_to_edge_stub.exe.4.dr	Static PE information: Number of sections : 11 > 10
Source: notification_click_helper.exe.4.dr	Static PE information: Number of sections : 13 > 10
Source: setup.exe.4.dr	Static PE information: Number of sections : 13 > 10
Source: msedge_proxy.exe0.4.dr	Static PE information: Number of sections : 12 > 10
Source: msedgewebview2.exe.4.dr	Static PE information: Number of sections : 14 > 10
Source: msedge_pwa_launcher.exe.4.dr	Static PE information: Number of sections : 13 > 10
Source: pwahelper.exe0.4.dr	Static PE information: Number of sections : 12 > 10
Source: msedge_proxy.exe.4.dr	Static PE information: Number of sections : 12 > 10
Source: identity_helper.exe.4.dr	Static PE information: Number of sections : 12 > 10

Source: POP_Swift_Copy_MTC78362-N70002.exe, 00000000.00000003.857659724.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamearmsvc.exeN vs POP_Swift_Copy_MTC78362-N70002.exe
Source: POP_Swift_Copy_MTC78362-N70002.exe, 00000000.00000003.863752388.0000000003F80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameALG.exej% vs POP_Swift_Copy_MTC78362-N70002.exe

Source: unknown

Driver loaded: C:\Windows\System32\drivers\AppVStrm.sys

Source: POP_Swift_Copy_MTC78362-N70002.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 8.2.RegSvcs.exe.40efe90.2.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 8.2.RegSvcs.exe.3fa53c0.5.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 8.2.RegSvcs.exe.3fa53c0.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.carryover.exe.4100000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 16.2.carryover.exe.3fb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 8.2.RegSvcs.exe.3fe15f0.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 10.0.build.exe.100000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 13.2.carryover.exe.3fb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 8.2.RegSvcs.exe.401d810.7.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 8.2.RegSvcs.exe.401d810.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.RegSvcs.exe.3e35570.6.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 8.2.RegSvcs.exe.401d810.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.RegSvcs.exe.3e35570.6.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 9.0.Origin_rawfile.exe.d90000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.carryover.exe.3f60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 8.2.RegSvcs.exe.3fe15f0.4.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 8.2.RegSvcs.exe.3fe15f0.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.RegSvcs.exe.3fa53c0.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.RegSvcs.exe.40efe90.2.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000008.00000002.927279385.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000D.00000002.1028050247.0000000003FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000010.00000002.1046055839.0000000003FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000006.00000002.922580618.0000000003F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000003.00000002.900016848.0000000004100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPED	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: POP_Swift_Copy_MTC78362-N70002.exe	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: armsvc.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: carryover.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: alg.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: updater.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jjs.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jp2launcher.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: keytool.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: kinit.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: klist.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ktab.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: orbd.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pack200.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info_x64.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: policytool.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmid.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AutoIt3Help.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AutoIt3_x64.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SciTE.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AdobeARMHelper.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: updater.exe0.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jaureg.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jucheck.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: maintenanceservice.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmiregistry.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: servertool.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ssvagent.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: tnameserv.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: unpack200.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ie_to_edge_stub.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: cookie_exporter.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: identity_helper.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: setup.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe0.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedgewebview2.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7z.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7zFM.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7zG.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Acrobat.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcrobatInfo.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_proxy.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_pwa_launcher.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: notification_click_helper.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pwahelper.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_proxy.exe0.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pwahelper.exe0.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVDllSurrogate.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVDllSurrogate32.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVDllSurrogate64.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: acrobat_sl.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcroBroker.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcroCEF.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SingleClientServicesUpdater.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVLP.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: OneDriveSetup.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Integrator.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppSharingHookController.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Common.ShowHelp.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: filecompare.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: excelcnv.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcroCEF.exe0.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SingleClientServicesUpdater.exe0.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcroTextExtractor.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ADelRCP.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: POP_Swift_Copy_MTC78362-N70002.exe	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: armsvc.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: carryover.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: alg.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: updater.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jjs.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jp2launcher.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: keytool.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: kinit.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: klist.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ktab.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: orbd.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pack200.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info_x64.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: policytool.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmid.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AutoIt3Help.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AutoIt3_x64.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SciTE.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AdobeARMHelper.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: updater.exe0.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jaureg.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jucheck.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: maintenanceservice.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmiregistry.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: servertool.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ssvagent.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: tnameserv.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: unpack200.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ie_to_edge_stub.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: cookie_exporter.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: identity_helper.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: setup.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe0.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedgewebview2.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7z.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7zFM.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7zG.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Acrobat.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcrobatInfo.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_proxy.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_pwa_launcher.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: notification_click_helper.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pwahelper.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_proxy.exe0.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pwahelper.exe0.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVDllSurrogate.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVDllSurrogate32.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVDllSurrogate64.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: acrobat_sl.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcroBroker.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcroCEF.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SingleClientServicesUpdater.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVLP.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: OneDriveSetup.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Integrator.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppSharingHookController.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Common.ShowHelp.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: filecompare.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: excelcnv.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcroCEF.exe0.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SingleClientServicesUpdater.exe0.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcroTextExtractor.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ADelRCP.exe.4.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: classification engine

Classification label: mal100.spre.troj.spyw.expl.evad.winEXE@35/159@53/19

Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe

Code function: 0_2_00463C55 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00463C55

Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe

Code function: 0_2_00404E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00404E89

Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe

Code function: 0_2_0170CBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,

0_2_0170CBD0

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

File created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log

Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe

File created: C:\Users\user\AppData\Roaming\c277c4d4e5834a36.bin

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Windows\System32\alg.exe	Mutant created: \BaseNamedObjects\Global\Multiarch.m0yv-c277c4d4e5834a369ea72c54-b
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-c277c4d4e5834a363d78ffaf-b
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-c277c4d4e5834a36-inf

Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe

File created: C:\Users\user\AppData\Local\Temp\aut2211.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\carryover.vbs"

Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: build.exe, 0000000A.00000002.1309475131.0000000002B46000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000A.00000002.1309475131.0000000002AB6000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000A.00000002.1309475131.00000000029FB000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000A.00000002.1309475131.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000A.00000002.1309475131.0000000002B5C000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000A.00000002.1309475131.0000000002AA0000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: POP_Swift_Copy_MTC78362-N70002.exe	Virustotal: Detection: 82%
Source: POP_Swift_Copy_MTC78362-N70002.exe	ReversingLabs: Detection: 83%

Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe

File read: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe "C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe"
Source: unknown	Process created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Process created: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe "C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe"
Source: unknown	Process created: C:\Windows\System32\alg.exe C:\Windows\System32\alg.exe
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe"
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Process created: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe "C:\Users\user\AppData\Local\nonsubmerged\carryover.exe"
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\nonsubmerged\carryover.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe "C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"
Source: unknown	Process created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\carryover.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe "C:\Users\user\AppData\Local\nonsubmerged\carryover.exe"
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\nonsubmerged\carryover.exe"
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Process created: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe "C:\Users\user\AppData\Local\nonsubmerged\carryover.exe"
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\nonsubmerged\carryover.exe"
Source: unknown	Process created: C:\Windows\System32\AppVClient.exe C:\Windows\system32\AppVClient.exe
Source: unknown	Process created: C:\Windows\System32\FXSSVC.exe C:\Windows\system32\fxssvc.exe
Source: unknown	Process created: C:\Windows\System32\msdtc.exe C:\Windows\System32\msdtc.exe
Source: unknown	Process created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
Source: unknown	Process created: C:\Windows\SysWOW64\perfhost.exe C:\Windows\SysWow64\perfhost.exe
Source: unknown	Process created: C:\Windows\System32\Locator.exe C:\Windows\system32\locator.exe
Source: unknown	Process created: C:\Windows\System32\SensorDataService.exe C:\Windows\System32\SensorDataService.exe
Source: unknown	Process created: C:\Windows\System32\snmptrap.exe C:\Windows\System32\snmptrap.exe
Source: unknown	Process created: C:\Windows\System32\Spectrum.exe C:\Windows\system32\spectrum.exe
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Process created: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe "C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe"			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe"			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Process created: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe "C:\Users\user\AppData\Local\nonsubmerged\carryover.exe"			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\nonsubmerged\carryover.exe"			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe "C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe"			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe "C:\Users\user\AppData\Local\nonsubmerged\carryover.exe"
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\nonsubmerged\carryover.exe"
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Process created: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe "C:\Users\user\AppData\Local\nonsubmerged\carryover.exe"
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\nonsubmerged\carryover.exe"

Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Section loaded: wsock32.dll			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Section loaded: winmm.dll			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Section loaded: dhcpcsvc6.dll			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Section loaded: dhcpcsvc.dll			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Section loaded: webio.dll			Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: wsock32.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: winmm.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: dhcpcsvc6.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: dhcpcsvc.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: webio.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: dhcpcsvc6.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: dhcpcsvc.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: webio.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: fwpuclnt.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: drprov.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: winsta.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ntlanman.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: davclnt.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: davhlpr.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: wkscli.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: cscapi.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: browcli.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: wsock32.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: winmm.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: dhcpcsvc6.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: dhcpcsvc.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: webio.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: dbghelp.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: windowscodecs.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: appvpolicy.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: appmanagementconfiguration.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: version.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: tapi32.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: credui.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: fxstiff.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: fxsresm.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: ualapi.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: msdtctm.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: msdtcprx.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: msdtclog.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: mtxclu.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: winmm.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: clusapi.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: xolehlp.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: resutils.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: resutils.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: comres.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: msdtcvsp1res.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: mtxoci.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: oci.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: hid.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\Locator.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\Locator.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\Locator.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\Locator.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\Locator.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\Locator.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\Locator.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: mfplat.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: rtworkq.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: windows.devices.perception.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: mediafoundation.defaultperceptionprovider.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: windows.devices.enumeration.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: structuredquery.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: windows.globalization.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: bcp47mrm.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: icu.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: mswb7.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: devdispitemprovider.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: spectrumsyncclient.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: perceptionsimulationextensions.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: hid.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: holographicruntimes.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: perceptiondevice.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: spatialstore.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: esent.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: analogcommonproxystub.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: capabilityaccessmanagerclient.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: windows.devices.enumeration.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: structuredquery.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: windows.globalization.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: bcp47mrm.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: icu.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: mswb7.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: devdispitemprovider.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Source: POP_Swift_Copy_MTC78362-N70002.exe

Static file information: File size 2214400 > 1048576

Source: POP_Swift_Copy_MTC78362-N70002.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: alg.exe, 00000004.00000003.1267036249.00000000014C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: POP_Swift_Copy_MTC78362-N70002.exe, 00000000.00000003.857605404.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: alg.exe, 00000004.00000003.1327165879.00000000014B0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000004.00000003.1328907274.00000000014C0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000004.00000003.1339672730.0000000000480000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msiexec.pdb source: elevation_service.exe, 00000007.00000003.1923166633.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: alg.exe, 00000004.00000003.1003873112.0000000001590000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ssh-agent.pdb source: elevation_service.exe, 00000007.00000003.2052781864.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: alg.exe, 00000004.00000003.1139094310.0000000001590000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 1.15.0.1.pdbex source: build.exe, 0000000A.00000002.1302827843.0000000000774000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb source: build.exe, 0000000A.00000002.1302827843.0000000000774000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: alg.exe, 00000004.00000003.1139094310.0000000001590000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdb source: alg.exe, 00000004.00000003.1148713422.0000000001590000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msiexec.pdbGCTL source: elevation_service.exe, 00000007.00000003.1923166633.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdbGCTL source: alg.exe, 00000004.00000003.1386116635.00000000004B0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000004.00000003.1383123026.00000000014B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationFontCache.pdb source: elevation_service.exe, 00000007.00000003.1899149495.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerceptionSimulationService.pdb source: elevation_service.exe, 00000007.00000003.1941717486.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: RegSvcs.exe, 00000008.00000002.939369508.0000000003E69000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: crashreporter.pdb source: alg.exe, 00000004.00000003.1545759493.00000000012B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: carryover.exe, 00000003.00000003.892573059.0000000004C50000.00000004.00001000.00020000.00000000.sdmp, carryover.exe, 00000003.00000003.891682528.0000000004AB0000.00000004.00001000.00020000.00000000.sdmp, carryover.exe, 00000006.00000003.909490862.0000000004E60000.00000004.00001000.00020000.00000000.sdmp, carryover.exe, 00000006.00000003.912742249.0000000004CC0000.00000004.00001000.00020000.00000000.sdmp, carryover.exe, 0000000D.00000003.1007870064.0000000004210000.00000004.00001000.00020000.00000000.sdmp, carryover.exe, 0000000D.00000003.1004439932.0000000004070000.00000004.00001000.00020000.00000000.sdmp, carryover.exe, 00000010.00000003.1033778483.0000000004070000.00000004.00001000.00020000.00000000.sdmp, carryover.exe, 00000010.00000003.1037501755.0000000004D10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: alg.exe, 00000004.00000003.1112231552.0000000001590000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdbAAAGCTL source: alg.exe, 00000004.00000003.1260735791.00000000014C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: MsSense.pdbGCTL source: elevation_service.exe, 00000007.00000003.1980186568.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: alg.exe, 00000004.00000003.1361887205.00000000014B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: MsSense.pdb source: elevation_service.exe, 00000007.00000003.1980186568.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: alg.exe, 00000004.00000003.1274422384.00000000014C0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000004.00000003.1283251012.0000000000480000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: alg.exe, 00000004.00000003.1185467540.00000000014C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb((( source: alg.exe, 00000004.00000003.1026691951.0000000001590000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: locator.pdb source: elevation_service.exe, 00000007.00000003.1965532858.0000000000830000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000007.00000003.1974269263.00000000007A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: elevation_service.exe, 00000007.00000003.1875381767.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdbCC9 source: alg.exe, 00000004.00000003.1148713422.0000000001590000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdb source: alg.exe, 00000004.00000003.1038473545.0000000001590000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb source: alg.exe, 00000004.00000003.1026691951.0000000001590000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: alg.exe, 00000004.00000003.1327165879.00000000014B0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000004.00000003.1328907274.00000000014C0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000004.00000003.1339672730.0000000000480000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: alg.exe, 00000004.00000003.1112231552.0000000001590000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: alg.exe, 00000004.00000003.1201107346.00000000014C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: alg.exe, 00000004.00000003.1003873112.0000000001590000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdb source: alg.exe, 00000004.00000003.1386116635.00000000004B0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000004.00000003.1383123026.00000000014B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb source: alg.exe, 00000004.00000003.908376252.0000000001590000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 64BitMAPIBroker.pdb source: alg.exe, 00000004.00000003.1250645435.00000000014C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msdtcexe.pdbGCTL source: elevation_service.exe, 00000007.00000003.1908491709.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerceptionSimulationService.pdbGCTL source: elevation_service.exe, 00000007.00000003.1941717486.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: snmptrap.pdbGCTL source: elevation_service.exe, 00000007.00000003.2001985634.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: alg.exe, 00000004.00000003.1361887205.00000000014B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerfHost.pdbGCTL source: elevation_service.exe, 00000007.00000003.1961833470.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000007.00000003.1952687940.0000000000830000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000007.00000003.1951213876.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: alg.exe, 00000004.00000003.1235636945.00000000014C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: alg.exe, 00000004.00000003.1185467540.00000000014C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: alg.exe, 00000004.00000003.1267036249.00000000014C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: alg.exe, 00000004.00000003.1201107346.00000000014C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: alg.exe, 00000004.00000003.1239779841.00000000014C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerfHost.pdb source: elevation_service.exe, 00000007.00000003.1961833470.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000007.00000003.1952687940.0000000000830000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000007.00000003.1951213876.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdb source: alg.exe, 00000004.00000003.1260735791.00000000014C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb` source: alg.exe, 00000004.00000003.908376252.0000000001590000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: alg.exe, 00000004.00000003.1274422384.00000000014C0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000004.00000003.1283251012.0000000000480000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: carryover.exe, 00000003.00000003.892573059.0000000004C50000.00000004.00001000.00020000.00000000.sdmp, carryover.exe, 00000003.00000003.891682528.0000000004AB0000.00000004.00001000.00020000.00000000.sdmp, carryover.exe, 00000006.00000003.909490862.0000000004E60000.00000004.00001000.00020000.00000000.sdmp, carryover.exe, 00000006.00000003.912742249.0000000004CC0000.00000004.00001000.00020000.00000000.sdmp, carryover.exe, 0000000D.00000003.1007870064.0000000004210000.00000004.00001000.00020000.00000000.sdmp, carryover.exe, 0000000D.00000003.1004439932.0000000004070000.00000004.00001000.00020000.00000000.sdmp, carryover.exe, 00000010.00000003.1033778483.0000000004070000.00000004.00001000.00020000.00000000.sdmp, carryover.exe, 00000010.00000003.1037501755.0000000004D10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: TieringEngineService.pdb source: elevation_service.exe, 00000007.00000003.2064218672.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: TieringEngineService.pdbGCTL source: elevation_service.exe, 00000007.00000003.2064218672.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: alg.exe, 00000004.00000003.1208714474.00000000014C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALG.pdb source: POP_Swift_Copy_MTC78362-N70002.exe, 00000000.00000003.863230963.0000000003F80000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msdtcexe.pdb source: elevation_service.exe, 00000007.00000003.1908491709.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: elevation_service.exe, 00000007.00000003.1875381767.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALG.pdbGCTL source: POP_Swift_Copy_MTC78362-N70002.exe, 00000000.00000003.863230963.0000000003F80000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: elevation_service.exe, 00000007.00000003.1899149495.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: alg.exe, 00000004.00000003.1038473545.0000000001590000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: locator.pdbGCTL source: elevation_service.exe, 00000007.00000003.1965532858.0000000000830000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000007.00000003.1974269263.00000000007A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ssh-agent.pdbX source: elevation_service.exe, 00000007.00000003.2052781864.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AppVShNotify.pdb source: alg.exe, 00000004.00000003.1357417726.00000000014C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: snmptrap.pdb source: elevation_service.exe, 00000007.00000003.2001985634.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: alg.exe, 00000004.00000003.1239779841.00000000014C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: alg.exe, 00000004.00000003.1208714474.00000000014C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AppVShNotify.pdbGCTL source: alg.exe, 00000004.00000003.1357417726.00000000014C0000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

Source: alg.exe.0.dr

Static PE information: 0xF67E8745 [Tue Jan 18 10:28:21 2101 UTC]

Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe

Code function: 0_2_00404B37 LoadLibraryA,GetProcAddress,

0_2_00404B37

Source: armsvc.exe.0.dr	Static PE information: section name: .didat
Source: alg.exe.0.dr	Static PE information: section name: .didat
Source: updater.exe.4.dr	Static PE information: section name: .00cfg
Source: updater.exe.4.dr	Static PE information: section name: .voltbl
Source: updater.exe.4.dr	Static PE information: section name: _RDATA
Source: updater.exe0.4.dr	Static PE information: section name: CPADinfo
Source: updater.exe0.4.dr	Static PE information: section name: malloc_h
Source: elevation_service.exe.4.dr	Static PE information: section name: .00cfg
Source: elevation_service.exe.4.dr	Static PE information: section name: .gxfg
Source: elevation_service.exe.4.dr	Static PE information: section name: .retplne
Source: elevation_service.exe.4.dr	Static PE information: section name: _RDATA
Source: elevation_service.exe.4.dr	Static PE information: section name: malloc_h
Source: maintenanceservice.exe.4.dr	Static PE information: section name: .00cfg
Source: maintenanceservice.exe.4.dr	Static PE information: section name: .voltbl
Source: maintenanceservice.exe.4.dr	Static PE information: section name: _RDATA
Source: unpack200.exe.4.dr	Static PE information: section name: .00cfg
Source: ie_to_edge_stub.exe.4.dr	Static PE information: section name: .00cfg
Source: ie_to_edge_stub.exe.4.dr	Static PE information: section name: .gxfg
Source: ie_to_edge_stub.exe.4.dr	Static PE information: section name: .retplne
Source: ie_to_edge_stub.exe.4.dr	Static PE information: section name: _RDATA
Source: cookie_exporter.exe.4.dr	Static PE information: section name: .00cfg
Source: cookie_exporter.exe.4.dr	Static PE information: section name: .gxfg
Source: cookie_exporter.exe.4.dr	Static PE information: section name: .retplne
Source: cookie_exporter.exe.4.dr	Static PE information: section name: _RDATA
Source: identity_helper.exe.4.dr	Static PE information: section name: .00cfg
Source: identity_helper.exe.4.dr	Static PE information: section name: .gxfg
Source: identity_helper.exe.4.dr	Static PE information: section name: .retplne
Source: identity_helper.exe.4.dr	Static PE information: section name: _RDATA
Source: identity_helper.exe.4.dr	Static PE information: section name: malloc_h
Source: setup.exe.4.dr	Static PE information: section name: .00cfg
Source: setup.exe.4.dr	Static PE information: section name: .gxfg
Source: setup.exe.4.dr	Static PE information: section name: .retplne
Source: setup.exe.4.dr	Static PE information: section name: LZMADEC
Source: setup.exe.4.dr	Static PE information: section name: _RDATA
Source: setup.exe.4.dr	Static PE information: section name: malloc_h
Source: elevation_service.exe0.4.dr	Static PE information: section name: .gxfg
Source: elevation_service.exe0.4.dr	Static PE information: section name: .retplne
Source: elevation_service.exe0.4.dr	Static PE information: section name: _RDATA
Source: msedgewebview2.exe.4.dr	Static PE information: section name: .00cfg
Source: msedgewebview2.exe.4.dr	Static PE information: section name: .gxfg
Source: msedgewebview2.exe.4.dr	Static PE information: section name: .retplne
Source: msedgewebview2.exe.4.dr	Static PE information: section name: CPADinfo
Source: msedgewebview2.exe.4.dr	Static PE information: section name: LZMADEC
Source: msedgewebview2.exe.4.dr	Static PE information: section name: _RDATA
Source: msedgewebview2.exe.4.dr	Static PE information: section name: malloc_h
Source: Acrobat.exe.4.dr	Static PE information: section name: .didat
Source: Acrobat.exe.4.dr	Static PE information: section name: _RDATA
Source: msedge_proxy.exe.4.dr	Static PE information: section name: .00cfg
Source: msedge_proxy.exe.4.dr	Static PE information: section name: .gxfg
Source: msedge_proxy.exe.4.dr	Static PE information: section name: .retplne
Source: msedge_proxy.exe.4.dr	Static PE information: section name: _RDATA
Source: msedge_proxy.exe.4.dr	Static PE information: section name: malloc_h
Source: msedge_pwa_launcher.exe.4.dr	Static PE information: section name: .00cfg
Source: msedge_pwa_launcher.exe.4.dr	Static PE information: section name: .gxfg
Source: msedge_pwa_launcher.exe.4.dr	Static PE information: section name: .retplne
Source: msedge_pwa_launcher.exe.4.dr	Static PE information: section name: LZMADEC
Source: msedge_pwa_launcher.exe.4.dr	Static PE information: section name: _RDATA
Source: msedge_pwa_launcher.exe.4.dr	Static PE information: section name: malloc_h
Source: notification_click_helper.exe.4.dr	Static PE information: section name: .00cfg
Source: notification_click_helper.exe.4.dr	Static PE information: section name: .gxfg
Source: notification_click_helper.exe.4.dr	Static PE information: section name: .retplne
Source: notification_click_helper.exe.4.dr	Static PE information: section name: CPADinfo
Source: notification_click_helper.exe.4.dr	Static PE information: section name: _RDATA
Source: notification_click_helper.exe.4.dr	Static PE information: section name: malloc_h
Source: pwahelper.exe.4.dr	Static PE information: section name: .00cfg
Source: pwahelper.exe.4.dr	Static PE information: section name: .gxfg
Source: pwahelper.exe.4.dr	Static PE information: section name: .retplne
Source: pwahelper.exe.4.dr	Static PE information: section name: _RDATA
Source: pwahelper.exe.4.dr	Static PE information: section name: malloc_h
Source: msedge_proxy.exe0.4.dr	Static PE information: section name: .00cfg
Source: msedge_proxy.exe0.4.dr	Static PE information: section name: .gxfg
Source: msedge_proxy.exe0.4.dr	Static PE information: section name: .retplne
Source: msedge_proxy.exe0.4.dr	Static PE information: section name: _RDATA
Source: msedge_proxy.exe0.4.dr	Static PE information: section name: malloc_h
Source: pwahelper.exe0.4.dr	Static PE information: section name: .00cfg
Source: pwahelper.exe0.4.dr	Static PE information: section name: .gxfg
Source: pwahelper.exe0.4.dr	Static PE information: section name: .retplne
Source: pwahelper.exe0.4.dr	Static PE information: section name: _RDATA
Source: pwahelper.exe0.4.dr	Static PE information: section name: malloc_h
Source: AcroCEF.exe.4.dr	Static PE information: section name: .didat
Source: AcroCEF.exe.4.dr	Static PE information: section name: _RDATA
Source: SingleClientServicesUpdater.exe.4.dr	Static PE information: section name: .didat
Source: SingleClientServicesUpdater.exe.4.dr	Static PE information: section name: _RDATA
Source: AppVLP.exe.4.dr	Static PE information: section name: .c2r
Source: OneDriveSetup.exe.4.dr	Static PE information: section name: .didat
Source: AppSharingHookController.exe.4.dr	Static PE information: section name: .c2r
Source: excelcnv.exe.4.dr	Static PE information: section name: .detourc
Source: excelcnv.exe.4.dr	Static PE information: section name: .c2r
Source: AcroCEF.exe0.4.dr	Static PE information: section name: .didat
Source: AcroCEF.exe0.4.dr	Static PE information: section name: _RDATA
Source: SingleClientServicesUpdater.exe0.4.dr	Static PE information: section name: .didat
Source: SingleClientServicesUpdater.exe0.4.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_00414257 push edi; ret		0_2_00414259
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_0041426B push edi; ret		0_2_0041426D
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_0042B7C7 push esi; ret		0_2_0042B7C9
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_0042B816 push edi; ret		0_2_0042B818
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_0042B8BC push edi; ret		0_2_0042B8BE
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_00428945 push ecx; ret		0_2_00428958
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_00402F12 push es; retf		0_2_00402F13
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_016EB180 push 016EB0CAh; ret		0_2_016EB061
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_016EB180 push 016EB30Dh; ret		0_2_016EB1E6
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_016EB180 push 016EB2F2h; ret		0_2_016EB262
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_016EB180 push 016EB255h; ret		0_2_016EB2ED
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_016EB180 push 016EB2D0h; ret		0_2_016EB346
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_016EB180 push 016EB37Fh; ret		0_2_016EB3B7
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_016E520C push 016E528Fh; ret		0_2_016E522D
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_01708550 push 0170852Eh; ret		0_2_01707F3A
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_01708550 push 01708514h; ret		0_2_01707F66
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_01708550 push 01707E66h; ret		0_2_01708057
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_01708550 push 0170817Ah; ret		0_2_0170808B
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_01708550 push 017082E5h; ret		0_2_017080D9
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_01708550 push 0170826Ah; ret		0_2_0170819E
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_01708550 push 0170849Ch; ret		0_2_017081E4
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_01708550 push 01708321h; ret		0_2_017082E0
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_01708550 push 01707FBFh; ret		0_2_0170831F
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_01708550 push 01707FA8h; ret		0_2_0170834C
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_01708550 push 017084BAh; ret		0_2_017083E2
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_01708550 push 01708426h; ret		0_2_017084D8
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_01708550 push 01708075h; ret		0_2_017084FD
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_01708550 push 0170808Ch; ret		0_2_01708512
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_01708550 push 01708D45h; ret		0_2_017087D3
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_01708550 push 01708AB5h; ret		0_2_01708B13
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_01708550 push 01708784h; ret		0_2_01708CA1

Source: POP_Swift_Copy_MTC78362-N70002.exe	Static PE information: section name: .reloc entropy: 7.931614008409216
Source: carryover.exe.0.dr	Static PE information: section name: .reloc entropy: 7.931614008409216
Source: Aut2exe.exe.4.dr	Static PE information: section name: .rsrc entropy: 7.80064326337216
Source: Aut2exe_x64.exe.4.dr	Static PE information: section name: .rsrc entropy: 7.800493622976467
Source: AutoIt3_x64.exe.4.dr	Static PE information: section name: .reloc entropy: 7.943930640130804
Source: SciTE.exe.4.dr	Static PE information: section name: .reloc entropy: 7.912303703030154
Source: updater.exe0.4.dr	Static PE information: section name: .reloc entropy: 7.878651671057928
Source: jucheck.exe.4.dr	Static PE information: section name: .reloc entropy: 7.93107912558795
Source: elevation_service.exe.4.dr	Static PE information: section name: .reloc entropy: 7.945964521519644
Source: identity_helper.exe.4.dr	Static PE information: section name: .reloc entropy: 7.940744738499413
Source: setup.exe.4.dr	Static PE information: section name: .reloc entropy: 7.944736290939655
Source: elevation_service.exe0.4.dr	Static PE information: section name: .reloc entropy: 7.945142573627974
Source: msedgewebview2.exe.4.dr	Static PE information: section name: .reloc entropy: 7.936569354132492
Source: 7zFM.exe.4.dr	Static PE information: section name: .reloc entropy: 7.932144684895964
Source: 7zG.exe.4.dr	Static PE information: section name: .reloc entropy: 7.927685984710346
Source: Acrobat.exe.4.dr	Static PE information: section name: .reloc entropy: 7.940532965726414
Source: msedge_proxy.exe.4.dr	Static PE information: section name: .reloc entropy: 7.942269699239433
Source: msedge_pwa_launcher.exe.4.dr	Static PE information: section name: .reloc entropy: 7.9462692738871805
Source: notification_click_helper.exe.4.dr	Static PE information: section name: .reloc entropy: 7.944016294975139
Source: pwahelper.exe.4.dr	Static PE information: section name: .reloc entropy: 7.940894459101313
Source: msedge_proxy.exe0.4.dr	Static PE information: section name: .reloc entropy: 7.942270695426126
Source: pwahelper.exe0.4.dr	Static PE information: section name: .reloc entropy: 7.940895768184267
Source: AcroCEF.exe.4.dr	Static PE information: section name: .reloc entropy: 7.937567879377073
Source: SingleClientServicesUpdater.exe.4.dr	Static PE information: section name: .reloc entropy: 7.9437091196084495
Source: OneDriveSetup.exe.4.dr	Static PE information: section name: .reloc entropy: 7.866505160625916
Source: Integrator.exe.4.dr	Static PE information: section name: .reloc entropy: 7.762376976281111
Source: excelcnv.exe.4.dr	Static PE information: section name: .reloc entropy: 7.318858413592184
Source: AcroCEF.exe0.4.dr	Static PE information: section name: .reloc entropy: 7.937552641019688
Source: SingleClientServicesUpdater.exe0.4.dr	Static PE information: section name: .reloc entropy: 7.943718734136817

Persistence and Installation Behavior

Source: C:\Windows\System32\alg.exe

File created: C:\Windows\system32\config\systemprofile\AppData\Roaming\c277c4d4e5834a36.bin

Jump to behavior

Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe			Jump to behavior

Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSACCESS.EXE			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\pingsender.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\vds.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\snmptrap.exe			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\Spectrum.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\Locator.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\GoogleUpdater\135.0.7023.0\updater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\7z.exe			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\AppVClient.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\crashreporter.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\7zG.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\SysWOW64\perfhost.exe			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\msiexec.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lynchtmlconv.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\firefox.exe			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\TieringEngineService.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\updater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\FXSSVC.exe			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\sppsvc.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\SensorDataService.exe			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\msdtc.exe			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	System file written: C:\Windows\System32\alg.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\7zFM.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\VSSVC.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\private_browsing.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\AgentService.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\OpenSSH\ssh-agent.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\plugin-container.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe			Jump to behavior

Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\pingsender.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\vds.exe			Jump to dropped file
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	File created: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\snmptrap.exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\Spectrum.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\Locator.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Google\GoogleUpdater\135.0.7023.0\updater.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\default-browser-agent.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\7-Zip\7z.exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\AppVClient.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\crashreporter.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\7-Zip\7zG.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\SysWOW64\perfhost.exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\msiexec.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File created: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\maintenanceservice.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\firefox.exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\TieringEngineService.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\updater.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Check.exe			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File created: C:\Users\user\AppData\Local\Temp\build.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\7-Zip\Uninstall.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\FXSSVC.exe			Jump to dropped file
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\sppsvc.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\SensorDataService.exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\msdtc.exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe			Jump to dropped file
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	File created: C:\Windows\System32\alg.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\7-Zip\7zFM.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\VSSVC.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\private_browsing.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\AgentService.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\OpenSSH\ssh-agent.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\plugin-container.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe			Jump to dropped file

Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\snmptrap.exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\Spectrum.exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\Locator.exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\AgentService.exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\VSSVC.exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\AppVClient.exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\FXSSVC.exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\TieringEngineService.exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\vds.exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\OpenSSH\ssh-agent.exe			Jump to dropped file
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	File created: C:\Windows\System32\alg.exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\SysWOW64\perfhost.exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\msiexec.exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\sppsvc.exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\SensorDataService.exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\msdtc.exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe			Jump to dropped file

Boot Survival

Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\carryover.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\carryover.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\carryover.vbs

Jump to behavior

Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe

Code function: 0_2_0170CBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,

0_2_0170CBD0

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	File written: C:\Users\user\AppData\Roaming\c277c4d4e5834a36.bin offset: 0			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 162304			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 735820			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 737280			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 1285120			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 1286144			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 1289427			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 735744			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 31704			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	File written: C:\Users\user\AppData\Local\Temp\aut2211.tmp offset: 0			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	File written: C:\Users\user\AppData\Local\Temp\aut2211.tmp offset: 729088			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	File written: C:\Users\user\AppData\Local\Temp\ghauts offset: 0			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	File written: C:\Windows\System32\alg.exe offset: 0			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	File written: C:\Windows\System32\alg.exe offset: 95744			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	File written: C:\Windows\System32\alg.exe offset: 669260			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	File written: C:\Windows\System32\alg.exe offset: 0			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	File written: C:\Windows\System32\alg.exe offset: 672768			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	File written: C:\Windows\System32\alg.exe offset: 1220608			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	File written: C:\Windows\System32\alg.exe offset: 0			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	File written: C:\Windows\System32\alg.exe offset: 1221632			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	File written: C:\Windows\System32\alg.exe offset: 1224840			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	File written: C:\Windows\System32\alg.exe offset: 0			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	File written: C:\Windows\System32\alg.exe offset: 0			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	File written: C:\Windows\System32\alg.exe offset: 669184			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	File written: C:\Windows\System32\alg.exe offset: 53125			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	File written: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe offset: 0			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	File written: C:\Windows\System32\alg.exe offset: 0			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	File written: C:\Users\user\AppData\Local\Temp\aut2983.tmp offset: 0			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	File written: C:\Users\user\AppData\Local\Temp\aut2983.tmp offset: 729088			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	File written: C:\Users\user\AppData\Local\Temp\ghauts offset: 0			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	File written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\carryover.vbs offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Windows\System32\config\systemprofile\AppData\Roaming\c277c4d4e5834a36.bin offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe offset: 2136576			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe offset: 2710092			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe offset: 2710016			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe offset: 1093484			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Google\GoogleUpdater\135.0.7023.0\updater.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Google\GoogleUpdater\135.0.7023.0\updater.exe offset: 5735424			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Google\GoogleUpdater\135.0.7023.0\updater.exe offset: 6308940			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Google\GoogleUpdater\135.0.7023.0\updater.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Google\GoogleUpdater\135.0.7023.0\updater.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Google\GoogleUpdater\135.0.7023.0\updater.exe offset: 6308864			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Google\GoogleUpdater\135.0.7023.0\updater.exe offset: 2318133			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Google\GoogleUpdater\135.0.7023.0\updater.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 1776128			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 2349644			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 2349568			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 677164			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 228352			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 801868			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 801792			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 43297			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 557056			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 1130572			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 1130496			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 382726			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 952832			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 1526348			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 1526272			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 614020			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 700416			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 1273932			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 1273856			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 464916			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 14848			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 588364			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 588288			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 5610			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 5630464			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 6203980			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 6203904			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 3201596			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 27136			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 600652			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 600576			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 8988			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 31744			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 605260			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 605184			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 12684			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 332800			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 906316			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 906240			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 232412			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 3571200			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 4144716			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 4144640			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 1485948			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 59362816			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 59936332			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 59936256			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 140924			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 3571200			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 4144716			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 4144640			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 1485948			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 59362816			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 59936332			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 59936256			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 140924			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 50176			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 623692			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 623616			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 24668			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 328192			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 901708			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 901632			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 4988			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 642048			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 1215564			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 1215488			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 132252			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 11459072			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 12032588			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 12032512			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 4630732			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 192512			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 766028			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 765952			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 95345			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 759296			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 1332812			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 1332736			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 285633			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 385536			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 959052			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 958976			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 182364			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 123904			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 697420			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 697344			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 66716			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 1102848			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 1676364			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 1676288			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 753617			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 2531840			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 3105356			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 3105280			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 1150992			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 459776			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 1033292			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 1033216			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 209348			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 99840			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 673356			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 673280			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 69527			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 256512			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 830028			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 829952			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 72028			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 521216			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 1094732			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 1094656			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 321696			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 210944			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 784460			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 784384			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 126840			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 13312			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 586828			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 586752			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 2828			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 4785664			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 5359180			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 5359104			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 2430581			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 632832			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 1206348			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 1206272			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 206444			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 2578944			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 3152460			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 3152384			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 16859			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 1617920			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 2191436			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 2191360			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 860981			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 258048			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 831564			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 831488			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 82352			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 5274624			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 5848140			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 5848064			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 3286540			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 185344			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 758860			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 758784			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 151349			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 26954240			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 27527756			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 27527680			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 11401068			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 4392960			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 4966476			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 4966400			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 2843313			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe offset: 1755648			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe offset: 2329164			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe offset: 2329088			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe offset: 740604			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe offset: 3347968			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe offset: 3921484			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe offset: 3921408			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe offset: 1777084			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe offset: 6470144			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe offset: 7043660			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe offset: 7043584			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe offset: 2807964			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe offset: 6470144			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe offset: 7043660			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe offset: 7043584			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe offset: 2807964			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe offset: 1665536			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe offset: 2239052			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe offset: 2238976			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe offset: 853340			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe offset: 1861120			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe offset: 2434636			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe offset: 2434560			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe offset: 910188			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 1445888			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 2019404			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 2019328			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 728892			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 248832			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 822348			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 822272			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 121980			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 707072			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 1280588			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 1280512			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 346881			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 666112			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 1239628			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 1239552			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 193089			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 228352			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 801868			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 801792			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 43297			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 762368			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 1335884			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 1335808			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 239297			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 70144			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 643660			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 643584			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 32241			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 279040			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 852556			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 852480			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 111633			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 55296			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 628812			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 628736			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 4108			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 403968			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 977484			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 977408			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 79009			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 224256			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 797772			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 0			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 797696			Jump to behavior

Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe

Code function: 0_2_004048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_004048D7

Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe

Code function: 0_2_00423187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00423187

Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 7_2_009952A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]		7_2_009952A0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 11_2_015A52A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]		11_2_015A52A0
Source: C:\Windows\System32\AppVClient.exe	Code function: 28_2_00B952A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]		28_2_00B952A0
Source: C:\Windows\System32\FXSSVC.exe	Code function: 32_2_00D252A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]		32_2_00D252A0
Source: C:\Windows\System32\msdtc.exe	Code function: 33_2_00CB52A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]		33_2_00CB52A0
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Code function: 34_2_00BC52A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]		34_2_00BC52A0
Source: C:\Windows\System32\Locator.exe	Code function: 36_2_006F52A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]		36_2_006F52A0
Source: C:\Windows\System32\SensorDataService.exe	Code function: 37_2_007352A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]		37_2_007352A0
Source: C:\Windows\System32\snmptrap.exe	Code function: 38_2_007452A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]		38_2_007452A0

Source: C:\Users\user\AppData\Local\Temp\build.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	API/Special instruction interceptor: Address: D0D24C
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	API/Special instruction interceptor: Address: C2125C
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	API/Special instruction interceptor: Address: DDDA1C
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	API/Special instruction interceptor: Address: B5023C

Source: RegSvcs.exe, 00000008.00000002.939369508.0000000003F69000.00000004.00000800.00020000.00000000.sdmp, Origin_rawfile.exe, 00000009.00000000.924376846.0000000000D92000.00000002.00000001.01000000.00000008.sdmp, Origin_rawfile.exe, 00000009.00000002.2158193336.00000000031D1000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Memory allocated: 2F10000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Memory allocated: 31A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Memory allocated: 2F10000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\build.exe	Memory allocated: AE0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\build.exe	Memory allocated: 2530000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\build.exe	Memory allocated: AE0000 memory reserve | memory write watch

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 8_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,#8,#8,#8,#15,#23,#24,#16,#411,#9,#9,#9,

8_2_004019F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1199891
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1199762
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1199654
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1199545
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1199432
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1199324
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1199207
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1199079
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1198954
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1198834
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1198704
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1198579
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1198454
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1198321
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1198204
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1198046
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1197937
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1197743
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1197591
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1197122
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1196914
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1196771
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1196641
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1196516
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1196406
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1196297
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1196188
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1196063
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1195938
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1195828
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1195719
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1195594
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Window / User API: threadDelayed 4310
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Window / User API: threadDelayed 5501
Source: C:\Users\user\AppData\Local\Temp\build.exe	Window / User API: threadDelayed 4891
Source: C:\Users\user\AppData\Local\Temp\build.exe	Window / User API: threadDelayed 4774

Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\pingsender.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Dropped PE file which has not been started: C:\Windows\System32\vds.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\default-browser-agent.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\GoogleUpdater\135.0.7023.0\updater.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7z.exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Dropped PE file which has not been started: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\crashreporter.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7zG.exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Dropped PE file which has not been started: C:\Windows\System32\msiexec.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\maintenanceservice.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\firefox.exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Dropped PE file which has not been started: C:\Windows\System32\TieringEngineService.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\updater.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Dropped PE file which has not been started: C:\Windows\System32\sppsvc.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Dropped PE file which has not been started: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7zFM.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Dropped PE file which has not been started: C:\Windows\System32\VSSVC.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\private_browsing.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Dropped PE file which has not been started: C:\Windows\System32\AgentService.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Dropped PE file which has not been started: C:\Windows\System32\OpenSSH\ssh-agent.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\plugin-container.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe			Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Source: C:\Windows\System32\SensorDataService.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\snmptrap.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\FXSSVC.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\msdtc.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\AppVClient.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\Locator.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe

API coverage: 9.8 %

Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe TID: 1320	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\alg.exe TID: 516	Thread sleep time: -300000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\alg.exe TID: 6212	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe TID: 6704	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -34126476536362649s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -99874s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -99766s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -99656s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -99547s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -99437s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -99328s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -99219s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -99109s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -99000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -98891s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -98781s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -98672s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -98562s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -98453s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -98343s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -98234s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -97790s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -97660s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -97372s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -97207s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -97078s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -96968s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -96859s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -1199891s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -1199762s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -1199654s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -1199545s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -1199432s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -1199324s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -1199207s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -1199079s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -1198954s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -1198834s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -1198704s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -1198579s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -1198454s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -1198321s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -1198204s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -1198046s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -1197937s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -1197743s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -1197591s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -1197122s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -1196914s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -1196771s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -1196641s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -1196516s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -1196406s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -1196297s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -1196188s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -1196063s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -1195938s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -1195828s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -1195719s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe TID: 7436	Thread sleep time: -1195594s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7560	Thread sleep time: -35048813740048126s >= -30000s
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe TID: 7588	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe TID: 7720	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\msdtc.exe TID: 8068	Thread sleep count: 145 > 30

Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe

Code function: 0_2_0046445A GetFileAttributesW,FindFirstFileW,FindClose,

0_2_0046445A

Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe

Code function: 0_2_004049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004049A0

Source: C:\Windows\System32\alg.exe	Thread delayed: delay time: 60000			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 99874
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 99766
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 99656
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 99547
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 99437
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 99328
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 99219
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 99109
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 99000
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 98891
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 98781
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 98672
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 98562
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 98453
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 98343
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 98234
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 97790
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 97660
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 97372
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 97207
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 97078
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 96968
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 96859
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1199891
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1199762
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1199654
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1199545
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1199432
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1199324
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1199207
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1199079
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1198954
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1198834
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1198704
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1198579
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1198454
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1198321
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1198204
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1198046
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1197937
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1197743
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1197591
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1197122
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1196914
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1196771
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1196641
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1196516
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1196406
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1196297
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1196188
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1196063
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1195938
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1195828
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1195719
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Thread delayed: delay time: 1195594
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\java.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaw.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaws.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\java.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaw.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaws.exe			Jump to behavior

Source: Origin_rawfile.exe, 00000009.00000002.2158193336.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: build.exe, 0000000A.00000002.1328060914.000000000381E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: build.exe, 0000000A.00000002.1328060914.00000000037E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: build.exe, 0000000A.00000002.1328060914.000000000381E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696494690
Source: build.exe, 0000000A.00000002.1328060914.000000000381E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: build.exe, 0000000A.00000002.1328060914.00000000037E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: build.exe, 0000000A.00000002.1328060914.000000000381E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: build.exe, 0000000A.00000002.1328060914.000000000381E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: build.exe, 0000000A.00000002.1328060914.000000000381E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: build.exe, 0000000A.00000002.1328060914.000000000381E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: carryover.exe, 00000003.00000002.897217661.0000000000D43000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.1386279208.000000000065D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.912605706.000000000065D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.922597959.000000000065D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.933185732.000000000065D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.904170083.000000000065D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.953993845.000000000065D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.936550043.000000000065D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.906101921.000000000065D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.1173388409.000000000065D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.892866836.000000000065D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: build.exe, 0000000A.00000002.1328060914.00000000037E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696494690
Source: build.exe, 0000000A.00000002.1302827843.0000000000774000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll(
Source: build.exe, 0000000A.00000002.1328060914.00000000037E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: build.exe, 0000000A.00000002.1328060914.00000000037E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: build.exe, 0000000A.00000002.1328060914.00000000037E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: build.exe, 0000000A.00000002.1328060914.000000000381E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: build.exe, 0000000A.00000002.1328060914.000000000381E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: carryover.exe, 0000000D.00000002.1026508197.0000000000DE2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWPm
Source: Origin_rawfile.exe, 00000009.00000002.2158193336.00000000031D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: build.exe, 0000000A.00000002.1328060914.000000000381E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: build.exe, 0000000A.00000002.1328060914.00000000037E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: build.exe, 0000000A.00000002.1328060914.000000000381E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696494690
Source: build.exe, 0000000A.00000002.1328060914.000000000381E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: build.exe, 0000000A.00000002.1328060914.000000000381E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: build.exe, 0000000A.00000002.1328060914.000000000381E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: build.exe, 0000000A.00000002.1328060914.000000000381E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: build.exe, 0000000A.00000002.1328060914.000000000381E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: build.exe, 0000000A.00000002.1328060914.000000000381E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: build.exe, 0000000A.00000002.1328060914.00000000037E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
Source: build.exe, 0000000A.00000002.1328060914.00000000037E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: build.exe, 0000000A.00000002.1328060914.000000000381E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: build.exe, 0000000A.00000002.1328060914.000000000381E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
Source: build.exe, 0000000A.00000002.1328060914.000000000381E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696494690f
Source: build.exe, 0000000A.00000002.1328060914.00000000037E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: build.exe, 0000000A.00000002.1328060914.000000000381E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: build.exe, 0000000A.00000002.1328060914.00000000037E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: build.exe, 0000000A.00000002.1328060914.000000000381E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: build.exe, 0000000A.00000002.1328060914.000000000381E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: build.exe, 0000000A.00000002.1328060914.00000000037E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: build.exe, 0000000A.00000002.1328060914.00000000037E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: build.exe, 0000000A.00000002.1328060914.00000000037E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: build.exe, 0000000A.00000002.1328060914.00000000037E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: build.exe, 0000000A.00000002.1328060914.000000000381E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: carryover.exe, 00000010.00000002.1044093494.0000000000B86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%
Source: build.exe, 0000000A.00000002.1328060914.00000000037E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: build.exe, 0000000A.00000002.1328060914.00000000037E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: build.exe, 0000000A.00000002.1328060914.00000000037E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: build.exe, 0000000A.00000002.1328060914.000000000381E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: build.exe, 0000000A.00000002.1328060914.00000000037E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: build.exe, 0000000A.00000002.1328060914.00000000037E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: build.exe, 0000000A.00000002.1328060914.000000000381E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: build.exe, 0000000A.00000002.1328060914.00000000037E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: build.exe, 0000000A.00000002.1328060914.000000000381E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: build.exe, 0000000A.00000002.1328060914.000000000381E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: POP_Swift_Copy_MTC78362-N70002.exe, 00000000.00000002.870277522.0000000000B51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: build.exe, 0000000A.00000002.1328060914.000000000381E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: build.exe, 0000000A.00000002.1328060914.000000000381E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: carryover.exe, 00000003.00000002.897217661.0000000000D11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX
Source: build.exe, 0000000A.00000002.1328060914.00000000037E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: build.exe, 0000000A.00000002.1328060914.00000000037E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: carryover.exe, 00000003.00000002.897217661.0000000000D43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWZ
Source: build.exe, 0000000A.00000002.1328060914.000000000381E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: Origin_rawfile.exe, 00000009.00000002.2130174795.0000000001434000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllq
Source: build.exe, 0000000A.00000002.1328060914.00000000037E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: Origin_rawfile.exe, 00000009.00000000.924376846.0000000000D92000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
Source: alg.exe, 00000004.00000003.1173663575.00000000005FF000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000004.00000003.1386603542.00000000005FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@;f%SystemRoot%\system32\mswsock.dll
Source: carryover.exe, 0000000D.00000002.1026508197.0000000000E08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWG
Source: build.exe, 0000000A.00000002.1328060914.00000000037E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: build.exe, 0000000A.00000002.1328060914.00000000037E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: build.exe, 0000000A.00000002.1328060914.00000000037E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: build.exe, 0000000A.00000002.1328060914.00000000037E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696494690
Source: build.exe, 0000000A.00000002.1328060914.00000000037E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: build.exe, 0000000A.00000002.1328060914.00000000037E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696494690f
Source: build.exe, 0000000A.00000002.1328060914.00000000037E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h

Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe

Process information queried: ProcessInformation

Anti Debugging

Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe

Code function: 9_2_031070A0 CheckRemoteDebuggerPresent,

9_2_031070A0

Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe

Process queried: DebugPort

Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe

Code function: 0_2_0043B2C1 IsDebuggerPresent,OutputDebugStringW,

0_2_0043B2C1

Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe

Code function: 0_2_00435A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00435A7C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 8_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,#8,#8,#8,#15,#23,#24,#16,#411,#9,#9,#9,

8_2_004019F0

Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe

Code function: 0_2_00404B37 LoadLibraryA,GetProcAddress,

0_2_00404B37

Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_00B421C0 mov eax, dword ptr fs:[00000030h]		0_2_00B421C0
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_00B42160 mov eax, dword ptr fs:[00000030h]		0_2_00B42160
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_00B40B30 mov eax, dword ptr fs:[00000030h]		0_2_00B40B30
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_016E1130 mov eax, dword ptr fs:[00000030h]		0_2_016E1130
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_01723F3D mov eax, dword ptr fs:[00000030h]		0_2_01723F3D
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 3_2_00AA1130 mov eax, dword ptr fs:[00000030h]		3_2_00AA1130
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 3_2_00AE3F3D mov eax, dword ptr fs:[00000030h]		3_2_00AE3F3D
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 3_2_00D0D4B8 mov eax, dword ptr fs:[00000030h]		3_2_00D0D4B8
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 3_2_00D0D518 mov eax, dword ptr fs:[00000030h]		3_2_00D0D518
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 3_2_00D0BE88 mov eax, dword ptr fs:[00000030h]		3_2_00D0BE88
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 6_2_00C214C8 mov eax, dword ptr fs:[00000030h]		6_2_00C214C8
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 6_2_00C1FE98 mov eax, dword ptr fs:[00000030h]		6_2_00C1FE98
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 6_2_00C21528 mov eax, dword ptr fs:[00000030h]		6_2_00C21528
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 6_2_02FB1130 mov eax, dword ptr fs:[00000030h]		6_2_02FB1130
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 6_2_02FF3F3D mov eax, dword ptr fs:[00000030h]		6_2_02FF3F3D
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 13_2_00AD1130 mov eax, dword ptr fs:[00000030h]		13_2_00AD1130
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 13_2_00B13F3D mov eax, dword ptr fs:[00000030h]		13_2_00B13F3D
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 13_2_00DDDCE8 mov eax, dword ptr fs:[00000030h]		13_2_00DDDCE8
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 13_2_00DDDC88 mov eax, dword ptr fs:[00000030h]		13_2_00DDDC88
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 13_2_00DDC658 mov eax, dword ptr fs:[00000030h]		13_2_00DDC658
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 16_2_00B504A8 mov eax, dword ptr fs:[00000030h]		16_2_00B504A8
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 16_2_00B50508 mov eax, dword ptr fs:[00000030h]		16_2_00B50508
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 16_2_00B4EE78 mov eax, dword ptr fs:[00000030h]		16_2_00B4EE78
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 16_2_01331130 mov eax, dword ptr fs:[00000030h]		16_2_01331130
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 16_2_01373F3D mov eax, dword ptr fs:[00000030h]		16_2_01373F3D

Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe

Code function: 0_2_004397FC GetProcessHeap,HeapAlloc,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

0_2_004397FC

Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_0042A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_0042A155
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_0042A124 SetUnhandledExceptionFilter,		0_2_0042A124
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_01721361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_01721361
Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Code function: 0_2_01724C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_01724C7B
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 3_2_00AE1361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		3_2_00AE1361
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 3_2_00AE4C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		3_2_00AE4C7B
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 6_2_02FF1361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		6_2_02FF1361
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 6_2_02FF4C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		6_2_02FF4C7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		8_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		8_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		8_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_004123F1 SetUnhandledExceptionFilter,		8_2_004123F1
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 13_2_00B11361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		13_2_00B11361
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 13_2_00B14C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		13_2_00B14C7B
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 16_2_01371361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		16_2_01371361
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Code function: 16_2_01374C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		16_2_01374C7B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtOpenKeyEx: Indirect: 0x140077B9B			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtQueryValueKey: Indirect: 0x140077C9F			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtClose: Indirect: 0x140077E81

Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe

Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base address: 470000

Jump to behavior

Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: BD0008			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: D11008

Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe

Code function: 0_2_004048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_004048D7

Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe"			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\nonsubmerged\carryover.exe"			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe "C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe"			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe "C:\Users\user\AppData\Local\nonsubmerged\carryover.exe"
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\nonsubmerged\carryover.exe"
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\nonsubmerged\carryover.exe"

Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe

Code function: 0_2_0045874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_0045874B

Source: POP_Swift_Copy_MTC78362-N70002.exe, 00000000.00000000.855293180.00000000004B4000.00000002.00000001.01000000.00000003.sdmp, POP_Swift_Copy_MTC78362-N70002.exe, 00000000.00000003.867434515.00000000042E3000.00000004.00001000.00020000.00000000.sdmp, carryover.exe, 00000003.00000002.894767763.00000000004B4000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: POP_Swift_Copy_MTC78362-N70002.exe	Binary or memory string: Shell_TrayWnd

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe

Code function: 0_2_0042862B cpuid

0_2_0042862B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: GetLocaleInfoA,

8_2_00417A20

Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\alg.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\build.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\nonsubmerged\carryover.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\System32\AppVClient.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\FXSSVC.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\FXSSVC.exe	Queries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\Queue\TSTB832.tmp VolumeInformation
Source: C:\Windows\System32\FXSSVC.exe	Queries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\TSTB833.tmp VolumeInformation
Source: C:\Windows\System32\msdtc.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\Locator.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\SensorDataService.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\snmptrap.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\Spectrum.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe

Code function: 0_2_0042520A GetSystemTimeAsFileTime,__aulldiv,

0_2_0042520A

Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe

Code function: 0_2_01708550 GetVolumeInformationW,wsprintfW,GetLastError,GetLastError,GetUserNameW,GetLastError,GetLastError,GetUserNameW,LocalFree,AllocateAndInitializeSid,wsprintfW,SetEntriesInAclW,GetLastError,OpenMutexW,

0_2_01708550

Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe

Code function: 0_2_00433F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00433F3A

Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe

Code function: 0_2_004049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004049A0

Source: C:\Users\user\Desktop\POP_Swift_Copy_MTC78362-N70002.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Source: POP_Swift_Copy_MTC78362-N70002.exe, 00000000.00000002.869911393.0000000000AAF000.00000004.00000020.00020000.00000000.sdmp, POP_Swift_Copy_MTC78362-N70002.exe, 00000000.00000003.857005775.0000000000AAF000.00000004.00000020.00020000.00000000.sdmp, POP_Swift_Copy_MTC78362-N70002.exe, 00000000.00000003.856634168.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, carryover.exe, 00000003.00000003.870859266.0000000000C5D000.00000004.00000020.00020000.00000000.sdmp, carryover.exe, 00000003.00000003.871543886.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, carryover.exe, 00000003.00000002.895962962.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, carryover.exe, 00000006.00000003.894945492.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp, carryover.exe, 00000006.00000002.920896517.0000000000B8B000.00000004.00000020.00020000.00000000.sdmp, carryover.exe, 0000000D.00000003.994356503.0000000000D2D000.00000004.00000020.00020000.00000000.sdmp, carryover.exe, 0000000D.00000002.1025952229.0000000000D5A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: mcupdate.exe

Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Source: Yara match	File source: 8.2.RegSvcs.exe.3fa53c0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3fe15f0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.401d810.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.401d810.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.Origin_rawfile.exe.d90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3fe15f0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3fa53c0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000000.924376846.0000000000D92000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2158193336.0000000003221000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2158193336.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.939369508.0000000003F69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Origin_rawfile.exe PID: 7224, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe, type: DROPPED

Source: Yara match	File source: 8.2.RegSvcs.exe.5530000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3ecdf90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.55d0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3ecdf90.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.5530000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.RegSvcs.exe.40b6458.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.2ba3f16.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.55d0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.RegSvcs.exe.40b5570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.5530ee8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.RegSvcs.exe.40b5570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.956531677.00000000055D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.955716644.0000000005530000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.939369508.0000000003E69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.936423407.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1085473700.00000000040B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 8.2.RegSvcs.exe.40efe90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3fa53c0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.build.exe.100000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.401d810.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3e35570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3e35570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3fe15f0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.40efe90.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.925962537.0000000000102000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.939369508.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.939369508.00000000040E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.939369508.0000000003F69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: build.exe PID: 7248, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPED

Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ElectrumE#
Source: build.exe, 0000000A.00000002.1309475131.00000000026B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $Jq2C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: JaxxE#
Source: build.exe, 0000000A.00000002.1309475131.00000000026B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.walletLRJq
Source: build.exe, 0000000A.00000002.1309475131.00000000026B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum\walletsLRJq<
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ExodusE#
Source: build.exe, 0000000A.00000002.1309475131.00000000026B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $Jq%appdata%`,JqdC:\Users\user\AppData\Roaming`,JqdC:\Users\user\AppData\Roaming\Binance
Source: build.exe, 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: EthereumE#
Source: build.exe, 0000000A.00000002.1309475131.00000000026B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $Jq&%localappdata%\Coinomi\Coinomi\walletsLRJq
Source: build.exe, 0000000A.00000002.1309475131.00000000026B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $Jq6C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
Source: RegSvcs.exe, 00000008.00000002.939369508.0000000003E69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: set_UseMachineKeyStore

Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe

File opened: C:\FTP Navigator\Ftplist.txt

Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\

Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 8.2.RegSvcs.exe.3fa53c0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3fe15f0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.401d810.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.401d810.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.Origin_rawfile.exe.d90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3fe15f0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3fa53c0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000000.924376846.0000000000D92000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2158193336.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.939369508.0000000003F69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1309475131.00000000026B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Origin_rawfile.exe PID: 7224, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: build.exe PID: 7248, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe, type: DROPPED

Remote Access Functionality

Source: Yara match	File source: 8.2.RegSvcs.exe.3fa53c0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3fe15f0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.401d810.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.401d810.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.Origin_rawfile.exe.d90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3fe15f0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3fa53c0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000000.924376846.0000000000D92000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2158193336.0000000003221000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2158193336.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.939369508.0000000003F69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Origin_rawfile.exe PID: 7224, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Origin_rawfile.exe, type: DROPPED

Source: Yara match	File source: 8.2.RegSvcs.exe.5530000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3ecdf90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.55d0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3ecdf90.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.5530000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.RegSvcs.exe.40b6458.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.2ba3f16.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.55d0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.RegSvcs.exe.40b5570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.5530ee8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.RegSvcs.exe.40b5570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.956531677.00000000055D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.955716644.0000000005530000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.939369508.0000000003E69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.936423407.0000000002BA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1085473700.00000000040B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 8.2.RegSvcs.exe.40efe90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3fa53c0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.build.exe.100000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.401d810.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3e35570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3e35570.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.3fe15f0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.40efe90.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.925962537.0000000000102000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1309475131.00000000025C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.939369508.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.939369508.00000000040E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.939369508.0000000003F69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: build.exe PID: 7248, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPED