Windows Analysis Report
FakturaPDF.exe

Overview

General Information

Sample name: FakturaPDF.exe
Analysis ID: 1500625
MD5: 3d1c6d7d8127b4bee872fdc3100efc98
SHA1: 119d54287ef32c14f1bb3fc3acc5671b5a912300
SHA256: 629463eeaf09ac3f51a7adf9c29d43b73f06bb92448243f6c9b8c7b9c1efbcd5
Tags: exe
Infos:

Detection

NetSupport RAT
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

AI detected phishing page
Multi AV Scanner detection for dropped file
Suricata IDS alerts for network traffic
AI detected suspicious sample
Contains functionality to detect sleep reduction / modifications
Contains functionalty to change the wallpaper
Delayed program exit found
Uses known network protocols on non-standard ports
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables security privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Uses the system / local time for branch decision (may execute only at specific dates)
Yara detected Keylogger Generic
Yara detected NetSupport remote tool

Classification

AV Detection
barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe ReversingLabs: Detection: 26%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 97.4% probability
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_110A80D0 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,_malloc,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary, 12_2_110A80D0

Phishing
barindex
AI detected phishing page
Source: https://sx.ytmv5.ru.com/Faktura.pdf LLM: Score: 8 Reasons: The URL'sx.ytmv5.ru.com' is suspicious due to its combination of different domain extensions, lack of association with a well-known brand, and the presence of a pop-up window asking for a password, which could be a tactic to trick users into entering their login credentials. DOM: 0.0.pages.csv
Source: https://sx.ytmv5.ru.com/Faktura.pdf HTTP Parser: No favicon
Source: file:///C:/Users/user/Downloads/downloaded.pdf HTTP Parser: No favicon
Source: file:///C:/Users/user/Downloads/downloaded.pdf HTTP Parser: No favicon
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49731 version: TLS 1.0
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe File opened: C:\Users\user\AppData\Roaming\windows2\MSVCR100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.6:49724 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.6:49725 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49726 version: TLS 1.2
Source: unknown HTTPS traffic detected: 109.123.227.60:443 -> 192.168.2.6:49727 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.6:49728 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:55915 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:55916 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.6:55917 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:55919 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:55923 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:55925 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:55926 version: TLS 1.2
Source: FakturaPDF.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: msvcr100.i386.pdb source: adobe.exe, adobe.exe, 0000000C.00000002.4605987963.000000006FCC1000.00000020.00000001.01000000.0000000B.sdmp, msvcr100.dll.0.dr
Source: Binary string: E:\nsmsrc\nsm\1201\1201F2\client32\Release\PCICL32.pdbP source: adobe.exe, 0000000C.00000002.4603990916.0000000011188000.00000002.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr
Source: Binary string: E:\nsmsrc\nsm\1201\1201F\ctl32\Full\pcichek.pdb source: adobe.exe, 0000000C.00000002.4606492989.000000006FD82000.00000002.00000001.01000000.00000009.sdmp, PCICHEK.DLL.0.dr
Source: Binary string: E:\nsmsrc\nsm\1201\1201F2\ctl32\release\htctl32.pdbL source: adobe.exe, 0000000C.00000002.4605274958.000000006BDB0000.00000002.00000001.01000000.0000000C.sdmp, HTCTL32.DLL.0.dr
Source: Binary string: E:\nsmsrc\nsm\1201\1201F\ctl32\Full\pcichek.pdbN source: PCICHEK.DLL.0.dr
Source: Binary string: m\1201\1201\ctl32\release\pcicapi.pdb source: pcicapi.dll.0.dr
Source: Binary string: E:\nsmsrc\nsm\1201\1201F2\client32\Release\PCICL32.pdb source: adobe.exe, 0000000C.00000002.4603990916.0000000011188000.00000002.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr
Source: Binary string: E:\nsmsrc\nsm\1201\1201F2\ctl32\release\tcctl32.pdbP source: TCCTL32.DLL.0.dr
Source: Binary string: pcicapi.pdbm\1201\1201\ctl32\release\pcicapi.pdbH source: pcicapi.dll.0.dr
Source: Binary string: E:\nsmsrc\nsm\1201\1201F2\ctl32\release\tcctl32.pdb source: TCCTL32.DLL.0.dr
Source: Binary string: E:\nsmsrc\nsm\1200\1200\client32\Release\client32.pdb source: adobe.exe, 0000000C.00000001.2305968764.0000000000012000.00000002.00000001.01000000.00000007.sdmp, adobe.exe, 0000000C.00000000.2305770068.0000000000012000.00000002.00000001.01000000.00000007.sdmp, adobe.exe, 0000000C.00000002.4600042524.0000000000012000.00000002.00000001.01000000.00000007.sdmp, adobe.exe.0.dr
Source: Binary string: E:\nsmsrc\nsm\1201\1201F2\ctl32\release\htctl32.pdb source: adobe.exe, 0000000C.00000002.4605274958.000000006BDB0000.00000002.00000001.01000000.0000000C.sdmp, HTCTL32.DLL.0.dr
Source: Binary string: pcicapi.pdb source: pcicapi.dll.0.dr
Source: Binary string: E:\nsmsrc\nsm\1201\1201\AudioCapture\Release\AudioCapture.pdb source: AudioCapture.dll.0.dr
Source: Binary string: downloader.pdb source: FakturaPDF.exe, FakturaPDF.exe, 00000000.00000002.4601629330.00007FF7626A1000.00000040.00000001.01000000.0000000D.sdmp
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_11103360 _memset,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose, 12_2_11103360
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_110619A0 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA, 12_2_110619A0
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_1102BC80 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess, 12_2_1102BC80
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_11066090 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError, 12_2_11066090
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_1111E850 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle, 12_2_1111E850

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.6:49733 -> 51.38.106.86:9164
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 9164 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 9164 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49733 -> 51.38.106.86:9164
Detected non-DNS traffic on DNS port
Source: global traffic TCP traffic: 192.168.2.6:55913 -> 1.1.1.1:53
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /windows_files.zip HTTP/1.1accept: */*host: sx.ytmv5.ru.com
Source: global traffic HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 172.67.68.212 172.67.68.212
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: OVHFR OVHFR
Source: Joe Sandbox View ASN Name: CASABLANCA-ASInternetCollocationProviderCZ CASABLANCA-ASInternetCollocationProviderCZ
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49731 version: TLS 1.0
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: global traffic HTTP traffic detected: GET /Faktura.pdf HTTP/1.1Host: sx.ytmv5.ru.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: sx.ytmv5.ru.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://sx.ytmv5.ru.com/Faktura.pdfAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /Faktura.pdf HTTP/1.1Host: sx.ytmv5.ru.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic HTTP traffic detected: GET /windows_files.zip HTTP/1.1accept: */*host: sx.ytmv5.ru.com
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=LvNVgAbR7W6XlwT&MD=TNlrXFEH HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=LvNVgAbR7W6XlwT&MD=TNlrXFEH HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: sx.ytmv5.ru.com
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: geo.netsupportsoftware.com
Source: unknown HTTP traffic detected: POST http://51.38.106.86/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 51.38.106.86Connection: Keep-AliveCMD=POLLINFO=1ACK=1Data Raw: Data Ascii:
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 28 Aug 2024 16:48:01 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1
Source: adobe.exe, adobe.exe, 0000000C.00000002.4605274958.000000006BDB0000.00000002.00000001.01000000.0000000C.sdmp, HTCTL32.DLL.0.dr String found in binary or memory: http://%s/fakeurl.htm
Source: adobe.exe, adobe.exe, 0000000C.00000002.4605274958.000000006BDB0000.00000002.00000001.01000000.0000000C.sdmp, HTCTL32.DLL.0.dr String found in binary or memory: http://%s/testpage.htm
Source: adobe.exe, 0000000C.00000002.4605274958.000000006BDB0000.00000002.00000001.01000000.0000000C.sdmp, HTCTL32.DLL.0.dr String found in binary or memory: http://%s/testpage.htmwininet.dll
Source: adobe.exe, adobe.exe, 0000000C.00000002.4603990916.0000000011188000.00000002.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr String found in binary or memory: http://127.0.0.1
Source: adobe.exe, 0000000C.00000002.4603990916.0000000011188000.00000002.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr String found in binary or memory: http://127.0.0.1RESUMEPRINTING
Source: adobe.exe, 0000000C.00000002.4601440489.0000000000D60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://51.38.106.86/fakeurl.htm
Source: FakturaPDF.exe String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: FakturaPDF.exe String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: FakturaPDF.exe String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: FakturaPDF.exe String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: FakturaPDF.exe, 00000000.00000003.2571849324.0000020498EEC000.00000004.00000020.00020000.00000000.sdmp, FakturaPDF.exe, 00000000.00000002.4599912151.000000AA53AFC000.00000004.00000010.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, PCICL32.DLL.0.dr, AudioCapture.dll.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr, adobe.exe.0.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: FakturaPDF.exe String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: FakturaPDF.exe String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: adobe.exe, adobe.exe, 0000000C.00000002.4600849113.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, adobe.exe, 0000000C.00000002.4603990916.0000000011188000.00000002.00000001.01000000.00000008.sdmp, adobe.exe, 0000000C.00000002.4600849113.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, adobe.exe, 0000000C.00000002.4600849113.0000000000D00000.00000004.00000020.00020000.00000000.sdmp, PCICL32.DLL.0.dr String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp
Source: adobe.exe, 0000000C.00000002.4600849113.0000000000D00000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp&
Source: adobe.exe, 0000000C.00000002.4600849113.0000000000D00000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp4
Source: adobe.exe, 0000000C.00000002.4600849113.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp;
Source: adobe.exe, 0000000C.00000002.4600849113.0000000000D00000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspR
Source: adobe.exe, 0000000C.00000002.4603990916.0000000011188000.00000002.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)
Source: adobe.exe, 0000000C.00000002.4600849113.0000000000D00000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspn
Source: adobe.exe, 0000000C.00000002.4600849113.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspnd
Source: FakturaPDF.exe String found in binary or memory: http://ocsp.comodoca.com0
Source: FakturaPDF.exe String found in binary or memory: http://ocsp.sectigo.com0
Source: FakturaPDF.exe, 00000000.00000003.2571849324.0000020498EEC000.00000004.00000020.00020000.00000000.sdmp, FakturaPDF.exe, 00000000.00000002.4599912151.000000AA53AFC000.00000004.00000010.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, PCICL32.DLL.0.dr, AudioCapture.dll.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr, adobe.exe.0.dr String found in binary or memory: http://ocsp.thawte.com0
Source: FakturaPDF.exe, 00000000.00000003.2571849324.0000020498EEC000.00000004.00000020.00020000.00000000.sdmp, FakturaPDF.exe, 00000000.00000002.4599912151.000000AA53AFC000.00000004.00000010.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, PCICL32.DLL.0.dr, AudioCapture.dll.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr String found in binary or memory: http://sf.symcb.com/sf.crl0f
Source: FakturaPDF.exe, 00000000.00000003.2571849324.0000020498EEC000.00000004.00000020.00020000.00000000.sdmp, FakturaPDF.exe, 00000000.00000002.4599912151.000000AA53AFC000.00000004.00000010.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, PCICL32.DLL.0.dr, AudioCapture.dll.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: FakturaPDF.exe, 00000000.00000003.2571849324.0000020498EEC000.00000004.00000020.00020000.00000000.sdmp, FakturaPDF.exe, 00000000.00000002.4599912151.000000AA53AFC000.00000004.00000010.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, PCICL32.DLL.0.dr, AudioCapture.dll.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr String found in binary or memory: http://sf.symcd.com0&
Source: FakturaPDF.exe, 00000000.00000003.2571849324.0000020498EEC000.00000004.00000020.00020000.00000000.sdmp, FakturaPDF.exe, 00000000.00000002.4599912151.000000AA53AFC000.00000004.00000010.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, PCICL32.DLL.0.dr, AudioCapture.dll.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr, adobe.exe.0.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: FakturaPDF.exe, 00000000.00000003.2571849324.0000020498EEC000.00000004.00000020.00020000.00000000.sdmp, FakturaPDF.exe, 00000000.00000002.4599912151.000000AA53AFC000.00000004.00000010.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, PCICL32.DLL.0.dr, AudioCapture.dll.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr, adobe.exe.0.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: FakturaPDF.exe, 00000000.00000003.2571849324.0000020498EEC000.00000004.00000020.00020000.00000000.sdmp, FakturaPDF.exe, 00000000.00000002.4599912151.000000AA53AFC000.00000004.00000010.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, PCICL32.DLL.0.dr, AudioCapture.dll.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr, adobe.exe.0.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: adobe.exe, 0000000C.00000002.4604066042.00000000111D5000.00000004.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp
Source: adobe.exe, 0000000C.00000002.4604066042.00000000111D5000.00000004.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp118
Source: FakturaPDF.exe, 00000000.00000003.2571849324.0000020498EEC000.00000004.00000020.00020000.00000000.sdmp, FakturaPDF.exe, 00000000.00000002.4599912151.000000AA53AFC000.00000004.00000010.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, PCICL32.DLL.0.dr, AudioCapture.dll.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr, adobe.exe.0.dr String found in binary or memory: http://www.netsupportsoftware.com
Source: adobe.exe, 0000000C.00000002.4604066042.00000000111D5000.00000004.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr String found in binary or memory: http://www.pci.co.uk/support
Source: adobe.exe, 0000000C.00000002.4604066042.00000000111D5000.00000004.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr String found in binary or memory: http://www.pci.co.uk/supportsupport
Source: FakturaPDF.exe, 00000000.00000003.2571849324.0000020498EEC000.00000004.00000020.00020000.00000000.sdmp, FakturaPDF.exe, 00000000.00000002.4599912151.000000AA53AFC000.00000004.00000010.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, PCICL32.DLL.0.dr, AudioCapture.dll.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr String found in binary or memory: https://d.symcb.com/cps0%
Source: FakturaPDF.exe, 00000000.00000003.2571849324.0000020498EEC000.00000004.00000020.00020000.00000000.sdmp, FakturaPDF.exe, 00000000.00000002.4599912151.000000AA53AFC000.00000004.00000010.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, PCICL32.DLL.0.dr, AudioCapture.dll.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr String found in binary or memory: https://d.symcb.com/rpa0
Source: FakturaPDF.exe String found in binary or memory: https://sectigo.com/CPS0
Source: FakturaPDF.exe, FakturaPDF.exe, 00000000.00000002.4601629330.00007FF7626A1000.00000040.00000001.01000000.0000000D.sdmp String found in binary or memory: https://sx.ytmv5.ru.com/Faktura.pdf
Source: FakturaPDF.exe, 00000000.00000002.4601629330.00007FF7626A1000.00000040.00000001.01000000.0000000D.sdmp String found in binary or memory: https://sx.ytmv5.ru.com/Faktura.pdfL
Source: FakturaPDF.exe, 00000000.00000003.2571954133.0000020498E8E000.00000004.00000020.00020000.00000000.sdmp, FakturaPDF.exe, 00000000.00000002.4600390401.0000020498E4C000.00000004.00000020.00020000.00000000.sdmp, FakturaPDF.exe, 00000000.00000002.4600759330.0000020498E9C000.00000004.00000020.00020000.00000000.sdmp, FakturaPDF.exe, 00000000.00000003.2299567956.0000020498E9C000.00000004.00000020.00020000.00000000.sdmp, FakturaPDF.exe, 00000000.00000003.2571889762.0000020498E79000.00000004.00000020.00020000.00000000.sdmp, FakturaPDF.exe, 00000000.00000003.2571984577.0000020498E9B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sx.ytmv5.ru.com/windows_files.zip
Source: FakturaPDF.exe, 00000000.00000002.4601629330.00007FF7626A1000.00000040.00000001.01000000.0000000D.sdmp String found in binary or memory: https://sx.ytmv5.ru.com/windows_files.zipadobe.exeFailed
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55924
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55925
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55926
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55920
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55919 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55923
Source: unknown Network traffic detected: HTTP traffic on port 55917 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55915 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55926 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55924 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 55920 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55917
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55919
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55915
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 55916
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55916 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 55925 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 55923 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.6:49724 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.6:49725 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49726 version: TLS 1.2
Source: unknown HTTPS traffic detected: 109.123.227.60:443 -> 192.168.2.6:49727 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.6:49728 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:55915 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:55916 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.6:55917 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:55919 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:55923 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:55925 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:55926 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_1101DBD0 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard, 12_2_1101DBD0
Contains functionality to modify clipboard data
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_11031440 GetClipboardFormatNameA,SetClipboardData, 12_2_11031440
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_1101DBD0 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard, 12_2_1101DBD0
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_110311C0 IsClipboardFormatAvailable,GetClipboardData,GetClipboardFormatNameA,GetLastError,GlobalUnlock, 12_2_110311C0
Contains functionality to record screenshots
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_110076A0 LoadCursorA,SetCursor,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,CreateDCA,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,SelectClipRgn,BitBlt,SelectClipRgn,DeleteObject,DeleteDC,BitBlt,ReleaseDC,CreatePen,CreateSolidBrush,GetSysColor,LoadBitmapA,_memset,_swscanf,CreateFontIndirectA,_memset,GetStockObject,GetObjectA,CreateFontIndirectA,GetWindowRect,SetWindowTextA,GetSystemMetrics,GetSystemMetrics,SetWindowPos,UpdateWindow,SetCursor, 12_2_110076A0
Potential key logger detected (key state polling based)
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_1110BC30 PeekMessageA,GetKeyState,GetKeyState,GetKeyState,Sleep,GetKeyState, 12_2_1110BC30
Yara detected Keylogger Generic
Source: Yara match File source: 12.2.adobe.exe.111abb38.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.adobe.exe.11000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.4603990916.0000000011188000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: adobe.exe PID: 1396, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\windows2\PCICL32.DLL, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands
barindex
Contains functionalty to change the wallpaper
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_1110DC60 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA, 12_2_1110DC60
Contains functionality to call native functions
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF762723160 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,MultiByteToWideChar,WriteConsoleW,WriteConsoleW,GetLastError,GetLastError, 0_2_00007FF762723160
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF7626D45BC NtCreateFile,RtlNtStatusToDosError,CreateIoCompletionPort,SetFileCompletionNotificationModes,CloseHandle, 0_2_00007FF7626D45BC
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF7626D3EBC NtDeviceIoControlFile,RtlNtStatusToDosError, 0_2_00007FF7626D3EBC
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF76277A4B8 NtWriteFile, 0_2_00007FF76277A4B8
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF7626D27D6 NtCancelIoFileEx,RtlNtStatusToDosError, 0_2_00007FF7626D27D6
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF7626D3EBC: NtDeviceIoControlFile,RtlNtStatusToDosError, 0_2_00007FF7626D3EBC
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_111533D0 FindWindowA,_memset,CreateProcessAsUserA,GetLastError,WinExec,CloseHandle,CloseHandle,CloseHandle,WinExec, 12_2_111533D0
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_1102BC80 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess, 12_2_1102BC80
Detected potential crypto function
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF7626EA139 0_2_00007FF7626EA139
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF762723160 0_2_00007FF762723160
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF7626A2A5B 0_2_00007FF7626A2A5B
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF7626DAF83 0_2_00007FF7626DAF83
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF7626E2DF7 0_2_00007FF7626E2DF7
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF7626A2DA2 0_2_00007FF7626A2DA2
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF7626B23E0 0_2_00007FF7626B23E0
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF7627674B8 0_2_00007FF7627674B8
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF7627264E0 0_2_00007FF7627264E0
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF762754450 0_2_00007FF762754450
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF762752134 0_2_00007FF762752134
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF76274F164 0_2_00007FF76274F164
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF76275717C 0_2_00007FF76275717C
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF76275A194 0_2_00007FF76275A194
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF7626A3290 0_2_00007FF7626A3290
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF76275B2B8 0_2_00007FF76275B2B8
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF7627517B4 0_2_00007FF7627517B4
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF762720807 0_2_00007FF762720807
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF762756738 0_2_00007FF762756738
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF76274A770 0_2_00007FF76274A770
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF7626A8912 0_2_00007FF7626A8912
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF76275C5B0 0_2_00007FF76275C5B0
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF76276C5C0 0_2_00007FF76276C5C0
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF7626C6548 0_2_00007FF7626C6548
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF7627715F4 0_2_00007FF7627715F4
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF76275052C 0_2_00007FF76275052C
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF7627336A0 0_2_00007FF7627336A0
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF762770704 0_2_00007FF762770704
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF762778630 0_2_00007FF762778630
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF76276E66C 0_2_00007FF76276E66C
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF7626AD6C0 0_2_00007FF7626AD6C0
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF7626B96AB 0_2_00007FF7626B96AB
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF76276EBD8 0_2_00007FF76276EBD8
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF762763B70 0_2_00007FF762763B70
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF76276AB80 0_2_00007FF76276AB80
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF7626D1B99 0_2_00007FF7626D1B99
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF7626AFD10 0_2_00007FF7626AFD10
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF7627559A8 0_2_00007FF7627559A8
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF76274B9E0 0_2_00007FF76274B9E0
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF7626CC9F7 0_2_00007FF7626CC9F7
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF762768AA8 0_2_00007FF762768AA8
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF762771B04 0_2_00007FF762771B04
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF76274FA20 0_2_00007FF76274FA20
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF7626DBF1D 0_2_00007FF7626DBF1D
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF76276B0D4 0_2_00007FF76276B0D4
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF762739020 0_2_00007FF762739020
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF76276CDA8 0_2_00007FF76276CDA8
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF762766E00 0_2_00007FF762766E00
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF76274FD24 0_2_00007FF76274FD24
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF762764D68 0_2_00007FF762764D68
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF7626E2E69 0_2_00007FF7626E2E69
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF7626AEE30 0_2_00007FF7626AEE30
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF7626AAE20 0_2_00007FF7626AAE20
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF762758F14 0_2_00007FF762758F14
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF7626B0EF0 0_2_00007FF7626B0EF0
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF76275BE5C 0_2_00007FF76275BE5C
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF7626CFEAB 0_2_00007FF7626CFEAB
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF762749E82 0_2_00007FF762749E82
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF762743E94 0_2_00007FF762743E94
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_10702130 12_2_10702130
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_1070698F 12_2_1070698F
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_107036C0 12_2_107036C0
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_1105DDB0 12_2_1105DDB0
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_11113F40 12_2_11113F40
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_11028090 12_2_11028090
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_1106EC60 12_2_1106EC60
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_1104D0A0 12_2_1104D0A0
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_110833A0 12_2_110833A0
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_11031570 12_2_11031570
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_1101B580 12_2_1101B580
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_1116378B 12_2_1116378B
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_1106B9D0 12_2_1106B9D0
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_1107BB50 12_2_1107BB50
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_11043B90 12_2_11043B90
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_1111DA20 12_2_1111DA20
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_11029F50 12_2_11029F50
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_1101A320 12_2_1101A320
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_11154210 12_2_11154210
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_1101A760 12_2_1101A760
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_1100882B 12_2_1100882B
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_11158A80 12_2_11158A80
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_1115CC45 12_2_1115CC45
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_6BD7A970 12_2_6BD7A970
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_6BD7DB90 12_2_6BD7DB90
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_6BDA38F3 12_2_6BDA38F3
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_6BDA48E0 12_2_6BDA48E0
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_6BDA3D88 12_2_6BDA3D88
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_6BD94390 12_2_6BD94390
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_6BD71310 12_2_6BD71310
Enables security privileges
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Process token adjusted: Security Jump to behavior
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: String function: 00007FF7627761A0 appears 32 times
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: String function: 00007FF762776080 appears 43 times
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: String function: 00007FF762775DA0 appears 91 times
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: String function: 11027F50 appears 980 times
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: String function: 110265F0 appears 46 times
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: String function: 6BD76F50 appears 125 times
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: String function: 1113C600 appears 588 times
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: String function: 6BD99450 appears 34 times
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: String function: 111647D0 appears 37 times
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: String function: 11155C43 appears 40 times
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: String function: 111592D0 appears 33 times
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: String function: 11059E50 appears 294 times
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: String function: 1107D280 appears 44 times
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: String function: 6BD87A90 appears 51 times
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: String function: 6BD730A0 appears 41 times
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: String function: 6BD87D00 appears 96 times
PE / OLE file has an invalid certificate
Source: FakturaPDF.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: FakturaPDF.exe, 00000000.00000003.2571849324.0000020498EEC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenametcctl32.dll4 vs FakturaPDF.exe
Source: FakturaPDF.exe Static PE information: Section: UPX1 ZLIB complexity 0.9961738782051283
Source: classification engine Classification label: mal84.rans.phis.troj.evad.winEXE@35/22@6/8
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_11055D80 GetLastError,FormatMessageA,LocalFree, 12_2_11055D80
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_11098130 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges, 12_2_11098130
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_110981C0 AdjustTokenPrivileges,FindCloseChangeNotification, 12_2_110981C0
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_1110DF20 CoInitialize,CoCreateInstance,LoadLibraryA,GetProcAddress,SHGetSettings,FreeLibrary,CoUninitialize, 12_2_1110DF20
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_110C79F0 IsWindow,IsWindowVisible,SetForegroundWindow,FindResourceExA,LoadResource,LockResource,DialogBoxIndirectParamA,DialogBoxParamA, 12_2_110C79F0
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_1111FF80 GetMessageA,Sleep,OpenSCManagerA,DispatchMessageA,OpenServiceA,CloseServiceHandle,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError, 12_2_1111FF80
Source: C:\Users\user\Desktop\FakturaPDF.exe File created: C:\Users\user\AppData\Roaming\windows2 Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3820:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4140:120:WilError_03
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe File read: C:\Users\user\AppData\Roaming\windows2\CLIENT32.INI Jump to behavior
Source: C:\Users\user\Desktop\FakturaPDF.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\FakturaPDF.exe "C:\Users\user\Desktop\FakturaPDF.exe"
Source: C:\Users\user\Desktop\FakturaPDF.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\FakturaPDF.exe Process created: C:\Windows\System32\cmd.exe "cmd" /C start https://sx.ytmv5.ru.com/Faktura.pdf
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://sx.ytmv5.ru.com/Faktura.pdf
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=2032,i,5830766051537790093,8353723363880984051,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\FakturaPDF.exe Process created: C:\Users\user\AppData\Roaming\windows2\adobe.exe "C:\Users\user\AppData\Roaming\windows2\adobe.exe"
Source: C:\Users\user\Desktop\FakturaPDF.exe Process created: C:\Windows\System32\cmd.exe "cmd" /C start https://sx.ytmv5.ru.com/Faktura.pdf Jump to behavior
Source: C:\Users\user\Desktop\FakturaPDF.exe Process created: C:\Users\user\AppData\Roaming\windows2\adobe.exe "C:\Users\user\AppData\Roaming\windows2\adobe.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://sx.ytmv5.ru.com/Faktura.pdf Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=2032,i,5830766051537790093,8353723363880984051,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\FakturaPDF.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\FakturaPDF.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\FakturaPDF.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\FakturaPDF.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\FakturaPDF.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\FakturaPDF.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\FakturaPDF.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\FakturaPDF.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\FakturaPDF.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\FakturaPDF.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\FakturaPDF.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\FakturaPDF.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\FakturaPDF.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\FakturaPDF.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\FakturaPDF.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\FakturaPDF.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\FakturaPDF.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\FakturaPDF.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\FakturaPDF.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\FakturaPDF.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\FakturaPDF.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\FakturaPDF.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: windows.shell.servicehostbuilder.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: pcicl32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: pcichek.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: pcicapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: dbgcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: nsmtrace.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: pcihooks.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: riched32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: pciinv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: fwbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: fwpolicyiomgr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75048700-EF1F-11D0-9888-006097DEACF9}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\FakturaPDF.exe File written: C:\Users\user\AppData\Roaming\windows2\NSM.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe File opened: C:\Windows\SysWOW64\riched32.dll Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: FakturaPDF.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe File opened: C:\Users\user\AppData\Roaming\windows2\MSVCR100.dll Jump to behavior
Source: FakturaPDF.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: msvcr100.i386.pdb source: adobe.exe, adobe.exe, 0000000C.00000002.4605987963.000000006FCC1000.00000020.00000001.01000000.0000000B.sdmp, msvcr100.dll.0.dr
Source: Binary string: E:\nsmsrc\nsm\1201\1201F2\client32\Release\PCICL32.pdbP source: adobe.exe, 0000000C.00000002.4603990916.0000000011188000.00000002.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr
Source: Binary string: E:\nsmsrc\nsm\1201\1201F\ctl32\Full\pcichek.pdb source: adobe.exe, 0000000C.00000002.4606492989.000000006FD82000.00000002.00000001.01000000.00000009.sdmp, PCICHEK.DLL.0.dr
Source: Binary string: E:\nsmsrc\nsm\1201\1201F2\ctl32\release\htctl32.pdbL source: adobe.exe, 0000000C.00000002.4605274958.000000006BDB0000.00000002.00000001.01000000.0000000C.sdmp, HTCTL32.DLL.0.dr
Source: Binary string: E:\nsmsrc\nsm\1201\1201F\ctl32\Full\pcichek.pdbN source: PCICHEK.DLL.0.dr
Source: Binary string: m\1201\1201\ctl32\release\pcicapi.pdb source: pcicapi.dll.0.dr
Source: Binary string: E:\nsmsrc\nsm\1201\1201F2\client32\Release\PCICL32.pdb source: adobe.exe, 0000000C.00000002.4603990916.0000000011188000.00000002.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr
Source: Binary string: E:\nsmsrc\nsm\1201\1201F2\ctl32\release\tcctl32.pdbP source: TCCTL32.DLL.0.dr
Source: Binary string: pcicapi.pdbm\1201\1201\ctl32\release\pcicapi.pdbH source: pcicapi.dll.0.dr
Source: Binary string: E:\nsmsrc\nsm\1201\1201F2\ctl32\release\tcctl32.pdb source: TCCTL32.DLL.0.dr
Source: Binary string: E:\nsmsrc\nsm\1200\1200\client32\Release\client32.pdb source: adobe.exe, 0000000C.00000001.2305968764.0000000000012000.00000002.00000001.01000000.00000007.sdmp, adobe.exe, 0000000C.00000000.2305770068.0000000000012000.00000002.00000001.01000000.00000007.sdmp, adobe.exe, 0000000C.00000002.4600042524.0000000000012000.00000002.00000001.01000000.00000007.sdmp, adobe.exe.0.dr
Source: Binary string: E:\nsmsrc\nsm\1201\1201F2\ctl32\release\htctl32.pdb source: adobe.exe, 0000000C.00000002.4605274958.000000006BDB0000.00000002.00000001.01000000.0000000C.sdmp, HTCTL32.DLL.0.dr
Source: Binary string: pcicapi.pdb source: pcicapi.dll.0.dr
Source: Binary string: E:\nsmsrc\nsm\1201\1201\AudioCapture\Release\AudioCapture.pdb source: AudioCapture.dll.0.dr
Source: Binary string: downloader.pdb source: FakturaPDF.exe, FakturaPDF.exe, 00000000.00000002.4601629330.00007FF7626A1000.00000040.00000001.01000000.0000000D.sdmp
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_1070CC8F LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 12_2_1070CC8F
PE file contains sections with non-standard names
Source: PCICL32.DLL.0.dr Static PE information: section name: .hhshare
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_10705B60 push eax; ret 12_2_10705B8E
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_1115F709 push ecx; ret 12_2_1115F71C
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_11164815 push ecx; ret 12_2_11164828
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_6BDA6B8F push ecx; ret 12_2_6BDA6BA2
Source: msvcr100.dll.0.dr Static PE information: section name: .text entropy: 6.909044922675825
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Drops PE files
Source: C:\Users\user\Desktop\FakturaPDF.exe File created: C:\Users\user\AppData\Roaming\windows2\PCICHEK.DLL Jump to dropped file
Source: C:\Users\user\Desktop\FakturaPDF.exe File created: C:\Users\user\AppData\Roaming\windows2\msvcr100.dll Jump to dropped file
Source: C:\Users\user\Desktop\FakturaPDF.exe File created: C:\Users\user\AppData\Roaming\windows2\pcicapi.dll Jump to dropped file
Source: C:\Users\user\Desktop\FakturaPDF.exe File created: C:\Users\user\AppData\Roaming\windows2\AudioCapture.dll Jump to dropped file
Source: C:\Users\user\Desktop\FakturaPDF.exe File created: C:\Users\user\AppData\Roaming\windows2\HTCTL32.DLL Jump to dropped file
Source: C:\Users\user\Desktop\FakturaPDF.exe File created: C:\Users\user\AppData\Roaming\windows2\adobe.exe Jump to dropped file
Source: C:\Users\user\Desktop\FakturaPDF.exe File created: C:\Users\user\AppData\Roaming\windows2\PCICL32.DLL Jump to dropped file
Source: C:\Users\user\Desktop\FakturaPDF.exe File created: C:\Users\user\AppData\Roaming\windows2\TCCTL32.DLL Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: Chrome Cache Entry: 131
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: Chrome Cache Entry: 131 Jump to dropped file
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_6BD87030 ctl_open,LoadLibraryA,InitializeCriticalSection,CreateEventA,CreateEventA,CreateEventA,CreateEventA,WSAStartup,_malloc,_memset,_calloc,_malloc,_memset,_malloc,_memset,GetTickCount,CreateThread,SetThreadPriority,GetModuleFileNameA,GetPrivateProfileIntA,GetModuleHandleA,CreateMutexA,timeBeginPeriod, 12_2_6BD87030
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_1111FF80 GetMessageA,Sleep,OpenSCManagerA,DispatchMessageA,OpenServiceA,CloseServiceHandle,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError, 12_2_1111FF80

Hooking and other Techniques for Hiding and Protection
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 9164 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 9164 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 9164
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_11130AA0 IsWindowVisible,IsWindow,IsWindowVisible,IsWindowVisible,GetForegroundWindow,EnableWindow,EnableWindow,EnableWindow,SetForegroundWindow,FindWindowA,IsWindowVisible,IsWindowVisible,IsIconic,GetForegroundWindow,SetForegroundWindow,EnableWindow,GetLastError,GetLastError,GetLastError, 12_2_11130AA0
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_110BB710 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId, 12_2_110BB710
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_1110B640 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt, 12_2_1110B640
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_110C5D30 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos, 12_2_110C5D30
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_110C5D30 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos, 12_2_110C5D30
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_110242F0 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer, 12_2_110242F0
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_11024740 IsIconic,BringWindowToTop,GetCurrentThreadId, 12_2_11024740
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_11150750 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop, 12_2_11150750
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_11150750 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop, 12_2_11150750
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_11022910 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer, 12_2_11022910
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_11150B50 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows, 12_2_11150B50
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_1111AB40 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA, 12_2_1111AB40
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_1111AB40 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA, 12_2_1111AB40
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_1110AA20 IsIconic,GetTickCount, 12_2_1110AA20
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_11022FE0 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId, 12_2_11022FE0
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_10701940 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 12_2_10701940
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\FakturaPDF.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\FakturaPDF.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior

Malware Analysis System Evasion
barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_6BD791F0 12_2_6BD791F0
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_6BD84F30 12_2_6BD84F30
Delayed program exit found
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_110B2DA0 Sleep,ExitProcess, 12_2_110B2DA0
Contains functionality to query network adapater information
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: _memset,LoadLibraryA,GetProcAddress,GetAdaptersInfo,_malloc,GetAdaptersInfo,wsprintfA,_free,FreeLibrary, 12_2_6BD87F80
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Window / User API: threadDelayed 3376 Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Window / User API: threadDelayed 6256 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\FakturaPDF.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\windows2\AudioCapture.dll Jump to dropped file
Source: C:\Users\user\Desktop\FakturaPDF.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\windows2\HTCTL32.DLL Jump to dropped file
Source: C:\Users\user\Desktop\FakturaPDF.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\windows2\TCCTL32.DLL Jump to dropped file
Found evaded block containing many API calls
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Evaded block: after key decision
Found evasive API chain (date check)
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Evasive API call chain: GetLocalTime,DecisionNodes
Found evasive API chain checking for process token information
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe API coverage: 6.3 %
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_6BD84F30 12_2_6BD84F30
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe TID: 3392 Thread sleep time: -844000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe TID: 3392 Thread sleep time: -1564000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_6BD83130 GetSystemTime followed by cmp: cmp eax, 02h and CTI: je 6BD83226h 12_2_6BD83130
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_11103360 _memset,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose, 12_2_11103360
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_110619A0 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA, 12_2_110619A0
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_1102BC80 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess, 12_2_1102BC80
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_11066090 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError, 12_2_11066090
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_1111E850 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle, 12_2_1111E850
Source: HTCTL32.DLL.0.dr Binary or memory string: VMware
Source: HTCTL32.DLL.0.dr Binary or memory string: hbuf->datahttputil.c%5d000000000002004C4F4F50VirtualVMwareVIRTNETGetAdaptersInfoiphlpapi.dllcbMacAddress == MAX_ADAPTER_ADDRESS_LENGTHmacaddr.cpp,%02x%02x%02x%02x%02x%02x* Netbiosnetapi32.dll01234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZwhoa nelly, says Sherman, the Sharkhellooo nurse!kernel32.dllProcessIdToSessionId%s_L%d_%xNOT copied to diskcopied to %sAssert failed - Unhandled Exception (GPF) -
Source: TCCTL32.DLL.0.dr Binary or memory string: skt%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllGetAdaptersInfoIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlTCREMOTETCBRIDGE%s=%s
Source: HTCTL32.DLL.0.dr Binary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.cla
Source: adobe.exe, 0000000C.00000002.4600849113.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, adobe.exe, 0000000C.00000002.4600849113.0000000000C6E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: TCCTL32.DLL.0.dr Binary or memory string: VMWare
Source: FakturaPDF.exe, 00000000.00000003.2299764347.0000020498E77000.00000004.00000020.00020000.00000000.sdmp, FakturaPDF.exe, 00000000.00000002.4600583484.0000020498E79000.00000004.00000020.00020000.00000000.sdmp, FakturaPDF.exe, 00000000.00000003.2571889762.0000020498E79000.00000004.00000020.00020000.00000000.sdmp, FakturaPDF.exe, 00000000.00000003.2299644613.0000020498E76000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll,
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF76274988D RegCloseKey,RegCloseKey,IsDebuggerPresent, 0_2_00007FF76274988D
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_10702410 CreateEventA,GetLastError,GetTickCount,GetMessageA,TranslateMessage,DispatchMessageA,GetTickCount,GetMessageA,TranslateMessage,DispatchMessageA,GetCurrentThreadId,wsprintfA,wsprintfA,wsprintfA,GetCurrentThreadId,wsprintfA,OutputDebugStringA,wsprintfA,wsprintfA,GetModuleFileNameA,wsprintfA,GetTempPathA,GetLocalTime,GetVersionExA,wsprintfA,wsprintfA,wsprintfA,SetTimer,MessageBoxA,KillTimer,PeekMessageA,MessageBoxA, 12_2_10702410
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_1070CC8F LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 12_2_1070CC8F
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF76277A238 GetProcessHeap, 0_2_00007FF76277A238
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF7626A7B40 RtlAddVectoredExceptionHandler,SetThreadStackGuarantee,SetThreadDescription,SetThreadDescription, 0_2_00007FF7626A7B40
Source: C:\Users\user\Desktop\FakturaPDF.exe Code function: 0_2_00007FF76277A040 SetUnhandledExceptionFilter,UpdateProcThreadAttribute,GetCurrentProcessId, 0_2_00007FF76277A040
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_11163549 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_11163549
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_11157561 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 12_2_11157561
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_1102F670 _NSMClient32@8,SetUnhandledExceptionFilter, 12_2_1102F670
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_1108E990 _NSMFindClass@12,SetUnhandledExceptionFilter,OpenEventA,FindWindowA,SetForegroundWindow,CreateEventA,CloseHandle, 12_2_1108E990
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_6BD928B1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 12_2_6BD928B1
Source: C:\Users\user\Desktop\FakturaPDF.exe Memory allocated: page read and write | page guard Jump to behavior
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: PostMessageA,GetWindowRect,GetWindowLongA,GetClassNameA,GetWindowThreadProcessId,OpenProcess,CloseHandle,FreeLibrary, \Explorer.exe 12_2_1102E890
Contains functionality to execute programs as a different user
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_110ED440 GetTickCount,LogonUserA,GetTickCount,GetLastError, 12_2_110ED440
Contains functionality to simulate keystroke presses
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_11117F00 GetForegroundWindow,GetClassNameA,GetWindowTextA,keybd_event,keybd_event,keybd_event, 12_2_11117F00
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\FakturaPDF.exe Process created: C:\Windows\System32\cmd.exe "cmd" /C start https://sx.ytmv5.ru.com/Faktura.pdf Jump to behavior
Source: C:\Users\user\Desktop\FakturaPDF.exe Process created: C:\Users\user\AppData\Roaming\windows2\adobe.exe "C:\Users\user\AppData\Roaming\windows2\adobe.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://sx.ytmv5.ru.com/Faktura.pdf Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_11098E70 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetVersionExA,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,FreeLibrary,CreateFileMappingA,GetLastError,LocalFree,LocalFree,LocalFree,GetLastError,MapViewOfFile,LocalFree,LocalFree,LocalFree,GetModuleFileNameA,GetModuleFileNameA,LocalFree,LocalFree,LocalFree,_memset,GetTickCount,GetCurrentProcessId,GetModuleFileNameA,CreateEventA,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,GetCurrentThreadId,CreateThread,ResetEvent,ResetEvent,ResetEvent,ResetEvent,SetEvent, 12_2_11098E70
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_110995F0 GetTokenInformation,GetTokenInformation,GetTokenInformation,AllocateAndInitializeSid,EqualSid, 12_2_110995F0
Source: adobe.exe, adobe.exe, 0000000C.00000002.4603990916.0000000011188000.00000002.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr Binary or memory string: Shell_TrayWnd
Source: adobe.exe, adobe.exe, 0000000C.00000002.4603990916.0000000011188000.00000002.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr Binary or memory string: Progman
Source: adobe.exe, 0000000C.00000002.4603990916.0000000011188000.00000002.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr Binary or memory string: Progman|
Source: adobe.exe, 0000000C.00000002.4603990916.0000000011188000.00000002.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr Binary or memory string: Shell_TrayWndTraceRunpluginTimeout
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: EnumSystemLocalesA, 12_2_1070B4E8
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: EnumSystemLocalesA, 12_2_1070B14A
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar, 12_2_1070E5F1
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: GetLocaleInfoA, 12_2_1070B6DC
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: GetLocaleInfoA,MultiByteToWideChar, 12_2_1070E6AE
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: GetLocaleInfoA,IsValidCodePage,IsValidLocale, 12_2_1070AF75
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte, 12_2_1070E704
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: EnumSystemLocalesA, 12_2_1070B3D5
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: GetLocaleInfoW,WideCharToMultiByte, 12_2_1070E7C7
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s, 12_2_11169356
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 12_2_111691F3
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 12_2_11169022
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 12_2_1116931A
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 12_2_111692B3
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: GetLocaleInfoA, 12_2_11160B4E
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 12_2_11168F20
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen, 12_2_11168FC7
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 12_2_11168E2B
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea, 12_2_6BDADB4E
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW, 12_2_6BD9FAAF
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free, 12_2_6BDA0F09
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 12_2_6BDA1E88
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen, 12_2_6BDA1E2D
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 12_2_6BDA1D86
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 12_2_6BDA1C91
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: GetLocaleInfoA, 12_2_6BDADC6B
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 12_2_6BDADC28
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 12_2_6BDA027D
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free, 12_2_6BDA1227
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s, 12_2_6BDA21E8
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 12_2_6BDA21AC
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 12_2_6BDA2145
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\FakturaPDF.exe Queries volume information: C:\Users\user\AppData\Roaming\windows2 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FakturaPDF.exe Queries volume information: C:\Users\user\AppData\Roaming\windows2 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FakturaPDF.exe Queries volume information: C:\Users\user\AppData\Roaming\windows2 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FakturaPDF.exe Queries volume information: C:\Users\user\AppData\Roaming\windows2 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FakturaPDF.exe Queries volume information: C:\Users\user\AppData\Roaming\windows2 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FakturaPDF.exe Queries volume information: C:\Users\user\AppData\Roaming\windows2 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_110EC2D0 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeA,GetLastError,Sleep,CreateNamedPipeA,LocalFree, 12_2_110EC2D0
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_10702410 CreateEventA,GetLastError,GetTickCount,GetMessageA,TranslateMessage,DispatchMessageA,GetTickCount,GetMessageA,TranslateMessage,DispatchMessageA,GetCurrentThreadId,wsprintfA,wsprintfA,wsprintfA,GetCurrentThreadId,wsprintfA,OutputDebugStringA,wsprintfA,wsprintfA,GetModuleFileNameA,wsprintfA,GetTempPathA,GetLocalTime,GetVersionExA,wsprintfA,wsprintfA,wsprintfA,SetTimer,MessageBoxA,KillTimer,PeekMessageA,MessageBoxA, 12_2_10702410
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_110391A0 _calloc,GetUserNameA,_free,_calloc,_free, 12_2_110391A0
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_1070E05D InterlockedDecrement,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte, 12_2_1070E05D
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_10702410 CreateEventA,GetLastError,GetTickCount,GetMessageA,TranslateMessage,DispatchMessageA,GetTickCount,GetMessageA,TranslateMessage,DispatchMessageA,GetCurrentThreadId,wsprintfA,wsprintfA,wsprintfA,GetCurrentThreadId,wsprintfA,OutputDebugStringA,wsprintfA,wsprintfA,GetModuleFileNameA,wsprintfA,GetTempPathA,GetLocalTime,GetVersionExA,wsprintfA,wsprintfA,wsprintfA,SetTimer,MessageBoxA,KillTimer,PeekMessageA,MessageBoxA, 12_2_10702410
Source: C:\Users\user\Desktop\FakturaPDF.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_10703240 CapiListen, 12_2_10703240
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_110D1640 __CxxThrowException@8,gethostbyname,WSAGetLastError,_memmove,htons,socket,WSAGetLastError,#21,bind,WSAGetLastError,listen,WSAGetLastError,accept,WSAGetLastError, 12_2_110D1640
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_1106B9D0 CapiHangup,CapiClose,CapiOpen,CapiListen,GetTickCount,GetTickCount,GetTickCount,CapiHangup,Sleep,GetTickCount,Sleep, 12_2_1106B9D0
Source: C:\Users\user\AppData\Roaming\windows2\adobe.exe Code function: 12_2_6BD7A970 EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,WSAGetLastError,socket,WSAGetLastError,#21,#21,#21,bind,WSAGetLastError,closesocket,htons,WSASetBlockingHook,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAUnhookBlockingHook,EnterCriticalSection,InitializeCriticalSection,getsockname,LeaveCriticalSection,GetTickCount,InterlockedExchange, 12_2_6BD7A970
Yara detected NetSupport remote tool
Source: Yara match File source: 12.2.adobe.exe.6fd80000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.adobe.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.adobe.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.adobe.exe.10700000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.adobe.exe.111abb38.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.adobe.exe.6bd70000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.adobe.exe.11000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.4605274958.000000006BDB0000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.4604066042.00000000111D5000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2571849324.0000020498EEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000001.2305968764.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.4603990916.0000000011188000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.2305770068.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.4600042524.0000000000012000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: FakturaPDF.exe PID: 6484, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: adobe.exe PID: 1396, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\windows2\PCICHEK.DLL, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\windows2\adobe.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\windows2\AudioCapture.dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\windows2\pcicapi.dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\windows2\HTCTL32.DLL, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\windows2\TCCTL32.DLL, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\windows2\PCICL32.DLL, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1500625 Sample: FakturaPDF.exe Startdate: 28/08/2024 Architecture: WINDOWS Score: 84 36 sx.ytmv5.ru.com 2->36 38 geo.netsupportsoftware.com 2->38 54 Suricata IDS alerts for network traffic 2->54 56 AI detected phishing page 2->56 58 Uses known network protocols on non-standard ports 2->58 60 AI detected suspicious sample 2->60 9 FakturaPDF.exe 16 2->9         started        signatures3 process4 file5 28 C:\Users\user\AppData\Roaming\...\pcicapi.dll, PE32 9->28 dropped 30 C:\Users\user\AppData\Roaming\...\adobe.exe, PE32 9->30 dropped 32 C:\Users\user\AppData\...\msvcr100.dll, PE32 9->32 dropped 34 5 other files (none is malicious) 9->34 dropped 12 adobe.exe 17 9->12         started        16 cmd.exe 13 9->16         started        18 conhost.exe 9->18         started        process6 dnsIp7 50 51.38.106.86, 49733, 9164 OVHFR France 12->50 52 geo.netsupportsoftware.com 172.67.68.212, 49734, 80 CLOUDFLARENETUS United States 12->52 62 Multi AV Scanner detection for dropped file 12->62 64 Contains functionalty to change the wallpaper 12->64 66 Delayed program exit found 12->66 68 Contains functionality to detect sleep reduction / modifications 12->68 20 chrome.exe 14 16->20         started        23 conhost.exe 16->23         started        signatures8 process9 dnsIp10 40 192.168.2.6, 138, 443, 49257 unknown unknown 20->40 42 192.168.2.16 unknown unknown 20->42 44 2 other IPs or domains 20->44 25 chrome.exe 20->25         started        process11 dnsIp12 46 sx.ytmv5.ru.com 109.123.227.60, 443, 49713, 49719 CASABLANCA-ASInternetCollocationProviderCZ Czech Republic 25->46 48 www.google.com 142.250.186.132, 443, 49723, 55920 GOOGLEUS United States 25->48
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.67.68.212
 geo.netsupportsoftware.com United States
13335 CLOUDFLARENETUS false
51.38.106.86
 unknown France
16276 OVHFR true
239.255.255.250
 unknown Reserved
unknown unknown false
142.250.186.132
 www.google.com United States
15169 GOOGLEUS false
109.123.227.60
 sx.ytmv5.ru.com Czech Republic
15685 CASABLANCA-ASInternetCollocationProviderCZ true

Private

IP
192.168.2.16
192.168.2.6
192.168.2.5

Contacted Domains

Name IP Active
geo.netsupportsoftware.com 172.67.68.212 true
www.google.com 142.250.186.132 true
sx.ytmv5.ru.com 109.123.227.60 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://51.38.106.86/fakeurl.htm true
  • Avira URL Cloud: safe
 unknown
http://geo.netsupportsoftware.com/location/loca.asp false
  • Avira URL Cloud: safe
 unknown
file:///C:/Users/user/Downloads/downloaded.pdf false
  • Avira URL Cloud: safe
 unknown
https://sx.ytmv5.ru.com/favicon.ico false
  • Avira URL Cloud: safe
 unknown
https://sx.ytmv5.ru.com/Faktura.pdf true
    		unknown