Windows Analysis Report
sxs.exe

Overview

General Information

Sample name: sxs.exe
Analysis ID: 1501290
MD5: 4f89e3a88853265154e24969581fb45a
SHA1: d5ae12cfe50ac91702da2ccd4e21321ef256ea2a
SHA256: ee77a17f0c1ff00fb7eb9a453ec22bb63ae382256211b6aa5db67c48e52fed73
Infos:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Allocates memory in foreign processes
Changes autostart functionality of drives
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses regedit.exe to modify the Windows registry
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks for available system drives (often done to infect USB drives)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to search for IE or Outlook window (often done to steal information)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Explorer Process Tree Break
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Uses net.exe to stop services

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: sxs.exe Avira: detected
Antivirus detection for URL or domain
Source: http://www.om7890.com/mfx/help.exe Avira URL Cloud: Label: malware
Source: http://w.tw7890.com/ Avira URL Cloud: Label: malware
Source: http://www.tw7890.com/twv/help.exehttp://www.om7890.com/mfx/help.exehttp://www.hg7890.com/hgb/help.e Avira URL Cloud: Label: malware
Source: http://www.tw7890.com/twv/help.exe Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Windows\wuauclt.exe Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Multi AV Scanner detection for dropped file
Source: C:\Windows\wuauclt.exe ReversingLabs: Detection: 91%
Multi AV Scanner detection for submitted file
Source: sxs.exe ReversingLabs: Detection: 91%
Machine Learning detection for dropped file
Source: C:\Windows\wuauclt.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: sxs.exe Joe Sandbox ML: detected
Source: https://www.onefordvd.com/lander HTTP Parser: No favicon
Source: https://www.onefordvd.com/lander HTTP Parser: No favicon
Source: https://www.onefordvd.com/lander HTTP Parser: No favicon
Source: https://www.onefordvd.com/lander HTTP Parser: No favicon
Uses 32bit PE files
Source: sxs.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:53808 version: TLS 1.0
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:53760 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:53773 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:53799 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:53809 version: TLS 1.2

Spreading
barindex
Changes autostart functionality of drives
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer NoDriveTypeAutoRun
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\wuauclt.exe File opened: z:
Source: C:\Windows\wuauclt.exe File opened: y:
Source: C:\Windows\wuauclt.exe File opened: x:
Source: C:\Windows\wuauclt.exe File opened: w:
Source: C:\Windows\wuauclt.exe File opened: v:
Source: C:\Windows\wuauclt.exe File opened: u:
Source: C:\Windows\wuauclt.exe File opened: t:
Source: C:\Windows\wuauclt.exe File opened: s:
Source: C:\Windows\wuauclt.exe File opened: r:
Source: C:\Windows\wuauclt.exe File opened: q:
Source: C:\Windows\wuauclt.exe File opened: p:
Source: C:\Windows\wuauclt.exe File opened: o:
Source: C:\Windows\wuauclt.exe File opened: n:
Source: C:\Windows\wuauclt.exe File opened: m:
Source: C:\Windows\wuauclt.exe File opened: l:
Source: C:\Windows\wuauclt.exe File opened: k:
Source: C:\Windows\wuauclt.exe File opened: j:
Source: C:\Windows\wuauclt.exe File opened: i:
Source: C:\Windows\wuauclt.exe File opened: h:
Source: C:\Windows\wuauclt.exe File opened: g:
Source: C:\Windows\wuauclt.exe File opened: f:
Source: C:\Windows\wuauclt.exe File opened: e:
Source: C:\Windows\explorer.exe File opened: c:
May infect USB drives
Source: sxs.exe Binary or memory string: \autorun.inf
Source: sxs.exe Binary or memory string: [AutoRun]
Source: sxs.exe, 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: \autorun.inf
Source: sxs.exe, 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: [AutoRun]
Source: sxs.exe, 00000000.00000002.2038596081.0000000000401000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: [AutoRun]
Source: wuauclt.exe Binary or memory string: \autorun.inf
Source: wuauclt.exe Binary or memory string: [AutoRun]
Source: wuauclt.exe, 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp Binary or memory string: \autorun.inf
Source: wuauclt.exe, 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp Binary or memory string: [AutoRun]
Source: wuauclt.exe, 00000004.00000002.3252810810.0000000000401000.00000004.00000001.01000000.00000007.sdmp Binary or memory string: [AutoRun]
Source: wuauclt.exe Binary or memory string: \autorun.inf
Source: wuauclt.exe Binary or memory string: [AutoRun]
Source: wuauclt.exe, 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp Binary or memory string: \autorun.inf
Source: wuauclt.exe, 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp Binary or memory string: [AutoRun]
Source: wuauclt.exe, 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp Binary or memory string: [AutoRun]
Source: C:\Users\user\Desktop\sxs.exe Code function: 0_2_00404C8C FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 0_2_00404C8C
Source: C:\Windows\wuauclt.exe Code function: 4_2_00404C8C FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 4_2_00404C8C
Source: C:\Windows\wuauclt.exe Code function: 42_2_00404C8C FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 42_2_00404C8C
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.26.2.70 104.26.2.70
Source: Joe Sandbox View IP Address: 172.67.69.19 172.67.69.19
Source: Joe Sandbox View IP Address: 15.197.204.56 15.197.204.56
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:53808 version: TLS 1.0
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: C:\Users\user\Desktop\sxs.exe Code function: 0_2_004080C8 DeleteUrlCacheEntry,DeleteUrlCacheEntry,DeleteFileA,DeleteFileA,URLDownloadToFileA,DeleteUrlCacheEntry, 0_2_004080C8
Source: global traffic HTTP traffic detected: GET /lander HTTP/1.1Host: www.onefordvd.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Referer: http://www.onefordvd.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /tag?o=5097926782615552&upapi=true HTTP/1.1Host: btloader.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.onefordvd.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /adsense/domains/caf.js?abp=1&gdabp=true HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://www.onefordvd.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /px.gif?ch=2 HTTP/1.1Host: ad-delivery.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.onefordvd.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /px.gif?ch=1&e=0.7379176731179411 HTTP/1.1Host: ad-delivery.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.onefordvd.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /favicon.ico?ad=300x250&ad_box_=1&adnet=1&showad=1&size=250x250 HTTP/1.1Host: ad.doubleclick.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.onefordvd.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /tag?o=5097926782615552&upapi=true HTTP/1.1Host: btloader.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /adsense/domains/caf.js?abp=1&gdabp=true HTTP/1.1Host: www.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /px.gif?ch=1&e=0.7550573385120041 HTTP/1.1Host: ad-delivery.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.onefordvd.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /px.gif?ch=2 HTTP/1.1Host: ad-delivery.netConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.onefordvd.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9If-None-Match: "ad4b0f606e0f8465bc4c4c170b37e1a3"If-Modified-Since: Wed, 05 May 2021 19:25:32 GMT
Source: global traffic HTTP traffic detected: GET /v1/domains/domain?domain=www.onefordvd.com&portfolioId=&abp=1&gdabp=true HTTP/1.1Host: api.aws.parking.godaddy.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36X-Request-Id: 29c03105-bfe3-4210-967e-5295b3a100a0sec-ch-ua-platform: "Windows"Accept: */*Origin: https://www.onefordvd.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://www.onefordvd.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /px.gif?ch=1&e=0.7379176731179411 HTTP/1.1Host: ad-delivery.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /px.gif?ch=2 HTTP/1.1Host: ad-delivery.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /px.gif?ch=1&e=0.7550573385120041 HTTP/1.1Host: ad-delivery.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /favicon.ico?ad=300x250&ad_box_=1&adnet=1&showad=1&size=250x250 HTTP/1.1Host: ad.doubleclick.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /px.gif?ch=2 HTTP/1.1Host: ad-delivery.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9If-None-Match: "ad4b0f606e0f8465bc4c4c170b37e1a3"If-Modified-Since: Wed, 05 May 2021 19:25:32 GMT
Source: global traffic HTTP traffic detected: GET /afs/ads?adsafe=low&adtest=off&psid=7621175430&pcsa=false&channel=06902&domain_name=onefordvd.com&client=dp-namemedia06_3ph&r=m&rpbu=https%3A%2F%2Fwww.onefordvd.com%2Flander&type=3&uiopt=true&swp=as-drid-2412708874333548&oe=UTF-8&ie=UTF-8&fexp=21404%2C17301431%2C17301433%2C17301436%2C17301511%2C17301516%2C17301266&format=r3&nocache=1741724944339990&num=0&output=afd_ads&v=3&bsl=8&pac=0&u_his=1&u_tz=-240&dt=1724944339992&u_w=1280&u_h=1024&biw=1280&bih=907&psw=1280&psh=907&frm=0&uio=-&cont=relatedLinks&drt=0&jsid=caf&nfp=1&jsv=667606770&rurl=https%3A%2F%2Fwww.onefordvd.com%2Flander&referer=http%3A%2F%2Fwww.onefordvd.com%2F HTTP/1.1Host: syndicatedsearch.googConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://www.onefordvd.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /v1/domains/domain?domain=www.onefordvd.com&portfolioId=&abp=1&gdabp=true HTTP/1.1Host: api.aws.parking.godaddy.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic HTTP traffic detected: GET /afs/ads?adsafe=low&adtest=off&psid=7621175430&pcsa=false&channel=06902&domain_name=onefordvd.com&client=dp-namemedia06_3ph&r=m&rpbu=https%3A%2F%2Fwww.onefordvd.com%2Flander&type=3&uiopt=true&swp=as-drid-2412708874333548&oe=UTF-8&ie=UTF-8&fexp=21404%2C17301431%2C17301433%2C17301436%2C17301511%2C17301516%2C17301266&format=r3&nocache=2721724944340427&num=0&output=afd_ads&v=3&bsl=8&pac=0&u_his=1&u_tz=-240&dt=1724944340430&u_w=1280&u_h=1024&biw=1280&bih=907&psw=1280&psh=907&frm=0&uio=-&cont=relatedLinks&drt=0&jsid=caf&nfp=1&jsv=667606770&rurl=https%3A%2F%2Fwww.onefordvd.com%2Flander&referer=http%3A%2F%2Fwww.onefordvd.com%2F HTTP/1.1Host: syndicatedsearch.googConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://www.onefordvd.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /adsense/domains/caf.js?pac=0 HTTP/1.1Host: syndicatedsearch.googConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://syndicatedsearch.goog/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /ad_icons/standard/publisher_icon_image/search.svg?c=%230f1c21 HTTP/1.1Host: afs.googleusercontent.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://syndicatedsearch.goog/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /ad_icons/standard/publisher_icon_image/chevron.svg?c=%230f1c21 HTTP/1.1Host: afs.googleusercontent.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://syndicatedsearch.goog/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /adsense/domains/caf.js?pac=0 HTTP/1.1Host: syndicatedsearch.googConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /js/bg/qfimbA0GYhgyETKN2gHT05d-Hpg6wiB8plDJ1aMSf3s.js HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://syndicatedsearch.goog/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /afs/gen_204?client=dp-namemedia06_3ph&output=uds_ads_only&zx=11hs6q014uq&aqid=1Y_QZrGTL9KnjuwPiPe1wA0&psid=7621175430&pbt=bs&adbx=267&adby=173.6875&adbh=464&adbw=500&adbah=148%2C148%2C148&adbn=master-1&eawp=partner-dp-namemedia06_3ph&errv=667606770&csala=4%7C0%7C1541%7C1243%7C284&lle=0&ifv=1&hpt=0 HTTP/1.1Host: syndicatedsearch.googConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.onefordvd.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /afs/gen_204?client=dp-namemedia06_3ph&output=uds_ads_only&zx=lhb5r7xl5det&aqid=1Y_QZrGTL9KnjuwPiPe1wA0&psid=7621175430&pbt=bv&adbx=267&adby=173.6875&adbh=464&adbw=500&adbah=148%2C148%2C148&adbn=master-1&eawp=partner-dp-namemedia06_3ph&errv=667606770&csala=4%7C0%7C1541%7C1243%7C284&lle=0&ifv=1&hpt=0 HTTP/1.1Host: syndicatedsearch.googConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.onefordvd.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /v1/parkingEvents?abp=1&gdabp=true HTTP/1.1Host: api.aws.parking.godaddy.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AWSALB=/PACIG2Rh6Q/vGV0NBgbuS+lsVrP73uW1UI165tCgsOir5+lVfSc3EOE5/KF97HJfLMGGXb9HIFU+Y51hWb4VljWkM3MbSWgVL4GN8m3RW3wbck9VtczOnvRWDlA; AWSALBCORS=/PACIG2Rh6Q/vGV0NBgbuS+lsVrP73uW1UI165tCgsOir5+lVfSc3EOE5/KF97HJfLMGGXb9HIFU+Y51hWb4VljWkM3MbSWgVL4GN8m3RW3wbck9VtczOnvRWDlA; cpvisitor=f491361e-23b1-46ad-b955-49e64997c4da
Source: global traffic HTTP traffic detected: GET /js/bg/qfimbA0GYhgyETKN2gHT05d-Hpg6wiB8plDJ1aMSf3s.js HTTP/1.1Host: www.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /ad_icons/standard/publisher_icon_image/chevron.svg?c=%230f1c21 HTTP/1.1Host: afs.googleusercontent.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /ad_icons/standard/publisher_icon_image/search.svg?c=%230f1c21 HTTP/1.1Host: afs.googleusercontent.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /v1/parkingEvents?abp=1&gdabp=true HTTP/1.1Host: api.aws.parking.godaddy.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: AWSALB=/PACIG2Rh6Q/vGV0NBgbuS+lsVrP73uW1UI165tCgsOir5+lVfSc3EOE5/KF97HJfLMGGXb9HIFU+Y51hWb4VljWkM3MbSWgVL4GN8m3RW3wbck9VtczOnvRWDlA; AWSALBCORS=/PACIG2Rh6Q/vGV0NBgbuS+lsVrP73uW1UI165tCgsOir5+lVfSc3EOE5/KF97HJfLMGGXb9HIFU+Y51hWb4VljWkM3MbSWgVL4GN8m3RW3wbck9VtczOnvRWDlA; cpvisitor=f491361e-23b1-46ad-b955-49e64997c4da
Source: global traffic HTTP traffic detected: GET /afs/gen_204?client=dp-namemedia06_3ph&output=uds_ads_only&zx=g3yhpaijmirq&aqid=1o_QZoOUFf6kjuwPko2JoA0&psid=7621175430&pbt=bs&adbx=267&adby=173.6875&adbh=464&adbw=500&adbah=148%2C148%2C148&adbn=master-1&eawp=partner-dp-namemedia06_3ph&errv=667606770&csala=11%7C0%7C1627%7C1343%7C1527&lle=0&ifv=1&hpt=0 HTTP/1.1Host: syndicatedsearch.googConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.onefordvd.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /afs/gen_204?client=dp-namemedia06_3ph&output=uds_ads_only&zx=2gf50ip8fgbm&aqid=1o_QZoOUFf6kjuwPko2JoA0&psid=7621175430&pbt=bv&adbx=267&adby=173.6875&adbh=464&adbw=500&adbah=148%2C148%2C148&adbn=master-1&eawp=partner-dp-namemedia06_3ph&errv=667606770&csala=11%7C0%7C1627%7C1343%7C1527&lle=0&ifv=1&hpt=0 HTTP/1.1Host: syndicatedsearch.googConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.onefordvd.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=lFzGF6yeVbArfYs&MD=x6PWfleO HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=lFzGF6yeVbArfYs&MD=x6PWfleO HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: www.onefordvd.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /lander HTTP/1.1Host: www.onefordvd.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Referer: http://www.onefordvd.com/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: www.onefordvd.comConnection: keep-aliveCache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Referer: http://www.onefordvd.com/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: www.onefordvd.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: expiry_partner=; caf_ipaddr=8.46.123.33; country=US; city=New%20York; lander_type=parking
Source: global traffic DNS traffic detected: DNS query: 1861119.com
Source: global traffic DNS traffic detected: DNS query: www.onefordvd.com
Source: global traffic DNS traffic detected: DNS query: msg.tmhacker.com
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: btloader.com
Source: global traffic DNS traffic detected: DNS query: img1.wsimg.com
Source: global traffic DNS traffic detected: DNS query: syndicatedsearch.goog
Source: global traffic DNS traffic detected: DNS query: ad-delivery.net
Source: global traffic DNS traffic detected: DNS query: ad.doubleclick.net
Source: global traffic DNS traffic detected: DNS query: api.aws.parking.godaddy.com
Source: global traffic DNS traffic detected: DNS query: afs.googleusercontent.com
Source: global traffic DNS traffic detected: DNS query: www.dvdforone.com
Source: global traffic DNS traffic detected: DNS query: google.com
Source: unknown HTTP traffic detected: POST /v1/parkingEvents?abp=1&gdabp=true HTTP/1.1Host: api.aws.parking.godaddy.comConnection: keep-aliveContent-Length: 920sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Type: application/jsonAccept: */*Origin: https://www.onefordvd.comSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://www.onefordvd.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: wuauclt.exe, 00000004.00000002.3253380639.000000000066E000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 00000004.00000002.3253732346.0000000002102000.00000004.00001000.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000002.2234954053.000000000055B000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2234129206.00000000023B5000.00000004.00001000.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2234156390.00000000023B2000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://1861119.com/1.txt
Source: sxs.exe, 00000000.00000002.2041399746.00000000007DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://1861119.com/1.txtO
Source: sxs.exe, 00000000.00000002.2041399746.00000000007DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://1861119.com/1.txtW
Source: sxs.exe, 00000000.00000002.2041399746.0000000000859000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://1861119.com/1.txtnss
Source: sxs.exe, 00000000.00000003.2035087789.0000000002172000.00000004.00001000.00020000.00000000.sdmp, sxs.exe, 00000000.00000003.2035087789.0000000002175000.00000004.00001000.00020000.00000000.sdmp, wuauclt.exe, 00000004.00000002.3253732346.0000000002102000.00000004.00001000.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2234156390.00000000023B2000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://1861119.com/ie.tx
Source: wuauclt.exe, 0000002A.00000002.2234954053.000000000055B000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2234129206.00000000023B5000.00000004.00001000.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2198638536.00000000005B7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://1861119.com/ie.txt
Source: wuauclt.exe, 0000002A.00000003.2198638536.00000000005B7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://1861119.com/ie.txt/
Source: sxs.exe, 00000000.00000002.2041399746.00000000007DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://1861119.com/ie.txt_
Source: wuauclt.exe, 0000002A.00000003.2234129206.00000000023B5000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://1861119.com/ie.txthT;
Source: wuauclt.exe, 0000002A.00000003.2198638536.00000000005B7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://1861119.com/ie.txtlate
Source: sxs.exe, 00000000.00000002.2041399746.0000000000868000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://1861119.com/ie.txt~
Source: wuauclt.exe, 00000004.00000002.3253380639.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 00000004.00000002.3253732346.0000000002102000.00000004.00001000.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2198638536.00000000005C1000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2234129206.00000000023B5000.00000004.00001000.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2234156390.00000000023B2000.00000004.00001000.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000002.2234954053.0000000000597000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2198638536.00000000005B7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://1861119.com/index.exe
Source: wuauclt.exe, 0000002A.00000002.2234954053.0000000000597000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://1861119.com/index.exe$N
Source: sxs.exe, 00000000.00000002.2041399746.0000000000820000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://1861119.com/index.exe.
Source: wuauclt.exe, 00000004.00000002.3253732346.0000000002105000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://1861119.com/index.exe0U
Source: wuauclt.exe, 0000002A.00000002.2234954053.0000000000597000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://1861119.com/index.exe3N
Source: wuauclt.exe, 0000002A.00000003.2198638536.00000000005B7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://1861119.com/index.exe8
Source: wuauclt.exe, 00000004.00000002.3253380639.00000000006B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://1861119.com/index.exeE
Source: wuauclt.exe, 0000002A.00000002.2234954053.0000000000597000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://1861119.com/index.exeb1
Source: sxs.exe, 00000000.00000002.2041399746.0000000000820000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://1861119.com/index.exeq#
Source: chromecache_112.8.dr, chromecache_103.8.dr String found in binary or memory: http://domainretailing.com/rg-dsale3p.php?d=onefordvd.com
Source: wuauclt.exe, 0000002A.00000002.2234954053.0000000000597000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://msg.tmhacker.com/down.txt
Source: wuauclt.exe, 00000004.00000002.3253380639.00000000006B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://msg.tmhacker.com/down.txtrj
Source: wuauclt.exe, 00000004.00000002.3253380639.00000000006B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://msg.tmhacker.com/down.txtrp
Source: wuauclt.exe, 0000002A.00000003.2234129206.00000000023B5000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://msg.tmhacker.com/ie.t
Source: wuauclt.exe, 00000004.00000002.3253380639.00000000006DB000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000002.2234954053.000000000055B000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2234264885.0000000000606000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000002.2235364430.0000000000606000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2234129206.00000000023B5000.00000004.00001000.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000002.2234954053.0000000000597000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://msg.tmhacker.com/ie.txt
Source: wuauclt.exe, 00000004.00000003.2081368568.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 00000004.00000002.3253380639.00000000006DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://msg.tmhacker.com/ie.txt&
Source: wuauclt.exe, 00000004.00000003.2081368568.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 00000004.00000002.3253380639.00000000006DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://msg.tmhacker.com/ie.txt)
Source: wuauclt.exe, 00000004.00000003.2081368568.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 00000004.00000002.3253380639.00000000006DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://msg.tmhacker.com/ie.txt-
Source: wuauclt.exe, 0000002A.00000003.2234264885.0000000000606000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000002.2235364430.0000000000606000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://msg.tmhacker.com/ie.txtSia
Source: wuauclt.exe, 0000002A.00000003.2234264885.0000000000606000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000002.2235364430.0000000000606000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://msg.tmhacker.com/ie.txtZin
Source: wuauclt.exe, 0000002A.00000002.2234954053.0000000000597000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://msg.tmhacker.com/ie.txtp1
Source: wuauclt.exe, 0000002A.00000003.2234264885.0000000000606000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000002.2235364430.0000000000606000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://msg.tmhacker.com/ie.txt~n
Source: wuauclt.exe, 0000002A.00000002.2235364430.0000000000606000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2234129206.00000000023B5000.00000004.00001000.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2234156390.00000000023B2000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://msg.tmhacker.com/tean1.txt
Source: wuauclt.exe, 0000002A.00000003.2234129206.00000000023B5000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://msg.tmhacker.com/tean1.txt&
Source: wuauclt.exe, 0000002A.00000003.2234264885.0000000000606000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000002.2235364430.0000000000606000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://msg.tmhacker.com/tean1.txt8U
Source: wuauclt.exe, 00000004.00000003.2081368568.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 00000004.00000002.3253380639.00000000006DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://msg.tmhacker.com/tean1.txtB
Source: wuauclt.exe, 0000002A.00000003.2234264885.0000000000606000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000002.2235364430.0000000000606000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://msg.tmhacker.com/tean1.txtGE
Source: wuauclt.exe, 0000002A.00000003.2234264885.0000000000606000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000002.2235364430.0000000000606000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://msg.tmhacker.com/tean1.txtJS;.JSE;.WSF;.WSH;#F
Source: wuauclt.exe, 0000002A.00000003.2234264885.0000000000606000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000002.2235364430.0000000000606000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://msg.tmhacker.com/tean1.txtME
Source: sxs.exe, 00000000.00000003.2016117630.0000000000740000.00000040.00001000.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2177702991.00000000021E0000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://w.tw7890.com/
Source: wuauclt.exe, 0000002A.00000002.2234954053.000000000055B000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2234129206.00000000023B5000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000002D.00000002.2208846931.0000000000E69000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002D.00000002.2208846931.0000000000E60000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002D.00000002.2208846931.0000000000E83000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.dvdforone.com
Source: explorer.exe, 0000002E.00000003.2804551864.0000000000565000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002E.00000002.2804925525.0000000000533000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.dvdforone.com/
Source: explorer.exe, 0000002E.00000003.2804701070.0000000000572000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002E.00000003.2804551864.0000000000565000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.dvdforone.com/0M
Source: explorer.exe, 0000002E.00000002.2804925525.0000000000544000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.dvdforone.com/23
Source: explorer.exe, 0000002E.00000002.2804925525.0000000000544000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.dvdforone.com/4b823s
Source: explorer.exe, 0000002E.00000003.2804701070.0000000000572000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002E.00000002.2804925525.0000000000573000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002E.00000003.2804551864.0000000000565000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.dvdforone.com/C:
Source: explorer.exe, 0000002E.00000002.2804925525.0000000000544000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.dvdforone.com/Vh
Source: explorer.exe, 0000002E.00000002.2804925525.0000000000544000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.dvdforone.com/Zy
Source: explorer.exe, 0000002D.00000002.2208846931.0000000000E83000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.dvdforone.com/o
Source: wuauclt.exe, 0000002A.00000002.2235700906.0000000002220000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002D.00000002.2208846931.0000000000E60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.dvdforone.comC:
Source: sxs.exe, 00000000.00000003.2016130183.0000000000750000.00000040.00001000.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2177763585.00000000021F0000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.gamesrb.com/rbm/help.exe
Source: sxs.exe, 00000000.00000003.2016130183.0000000000750000.00000040.00001000.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2177763585.00000000021F0000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.hg7890.com/hgb/help.exe
Source: sxs.exe, sxs.exe, 00000000.00000003.2016766274.0000000000740000.00000040.00001000.00020000.00000000.sdmp, sxs.exe, 00000000.00000003.2016130183.0000000000750000.00000040.00001000.00020000.00000000.sdmp, iexplore.exe, 00000002.00000002.3252602889.0000000000100000.00000040.00000400.00020000.00000000.sdmp, wuauclt.exe, wuauclt.exe, 0000002A.00000003.2177763585.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2180435124.0000000002310000.00000040.00001000.00020000.00000000.sdmp, iexplore.exe, 0000002B.00000002.3252569275.0000000000D50000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://www.om7890.com/mfx/help.exe
Source: sxs.exe, 00000000.00000002.2041399746.000000000084B000.00000004.00000020.00020000.00000000.sdmp, sxs.exe, 00000000.00000002.2041399746.0000000000820000.00000004.00000020.00020000.00000000.sdmp, sxs.exe, 00000000.00000003.2035087789.0000000002175000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2043412825.0000000002908000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2043412825.0000000002900000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 00000004.00000002.3253732346.0000000002105000.00000004.00001000.00020000.00000000.sdmp, wuauclt.exe, 00000004.00000002.3253380639.000000000066E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2101961189.00000000029A8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2101961189.00000000029A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.onefordvd.com
Source: explorer.exe, 00000009.00000002.2101961189.00000000029A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.onefordvd.com(
Source: explorer.exe, 0000000C.00000002.2676562250.0000000001463000.00000004.00000020.00020000.00000000.sdmp, chromecache_94.8.dr String found in binary or memory: http://www.onefordvd.com/
Source: explorer.exe, 0000000C.00000003.2676356523.00000000014AA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2676620417.00000000014AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.onefordvd.com/&
Source: explorer.exe, 00000005.00000003.2638770707.0000000000F60000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2638890708.0000000000F82000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2639171790.0000000000F83000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.onefordvd.com/)
Source: explorer.exe, 00000009.00000002.2101961189.00000000029A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.onefordvd.com/10
Source: explorer.exe, 00000005.00000003.2638770707.0000000000F60000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2639171790.0000000000F60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.onefordvd.com/23M4
Source: explorer.exe, 00000005.00000003.2638770707.0000000000F60000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2639171790.0000000000F60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.onefordvd.com/4b823
Source: explorer.exe, 0000000C.00000002.2676562250.0000000001463000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.onefordvd.com/6x
Source: explorer.exe, 00000005.00000003.2638770707.0000000000F60000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2638890708.0000000000F82000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2639171790.0000000000F83000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.onefordvd.com/A
Source: explorer.exe, 0000000C.00000003.2676269391.000000000148B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2676620417.000000000148C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.onefordvd.com/W
Source: explorer.exe, 00000005.00000003.2638770707.0000000000F60000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2638890708.0000000000F82000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2639171790.0000000000F83000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.onefordvd.com/Y
Source: explorer.exe, 00000003.00000002.2043412825.0000000002908000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.onefordvd.com/c%1
Source: explorer.exe, 00000005.00000003.2638770707.0000000000F60000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2638890708.0000000000F82000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2639171790.0000000000F83000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.onefordvd.com/i
Source: explorer.exe, 0000000C.00000003.2676269391.000000000148B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2676620417.000000000148C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.onefordvd.com/l
Source: explorer.exe, 0000000C.00000003.2676356523.00000000014AA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2676620417.00000000014AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.onefordvd.com/n
Source: explorer.exe, 0000000C.00000003.2676269391.000000000148B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2676620417.000000000148C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.onefordvd.com/s.lll
Source: explorer.exe, 0000000C.00000003.2676356523.00000000014AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.onefordvd.com/t
Source: explorer.exe, 00000009.00000002.2101961189.00000000029A8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.onefordvd.com/v
Source: explorer.exe, 0000000C.00000003.2676356523.00000000014AA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2676620417.00000000014AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.onefordvd.com/~
Source: explorer.exe, 00000003.00000002.2043412825.0000000002900000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.onefordvd.com2
Source: sxs.exe, 00000000.00000003.2035198425.0000000002281000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2043084095.0000000002840000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2043412825.0000000002900000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2098672056.0000000002880000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.2101961189.00000000029A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.onefordvd.comC:
Source: sxs.exe, 00000000.00000003.2035087789.0000000002175000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.onefordvd.comXV
Source: sxs.exe, 00000000.00000002.2041399746.0000000000868000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.onefordvd.com_
Source: explorer.exe, 00000003.00000002.2043412825.0000000002900000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.onefordvd.come
Source: sxs.exe, 00000000.00000002.2041399746.000000000084B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.onefordvd.comop
Source: sxs.exe, 00000000.00000003.2016130183.0000000000750000.00000040.00001000.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2177763585.00000000021F0000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.tw7890.com/twv/help.exe
Source: sxs.exe, 00000000.00000003.2016130183.0000000000750000.00000040.00001000.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2177763585.00000000021F0000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.tw7890.com/twv/help.exehttp://www.om7890.com/mfx/help.exehttp://www.hg7890.com/hgb/help.e
Source: wuauclt.exe, wuauclt.exe, 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp String found in binary or memory: http://www.xxx.com/abc.exe
Source: wuauclt.exe, wuauclt.exe, 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp String found in binary or memory: http://www.xxx.com/ie.txt
Source: wuauclt.exe, wuauclt.exe, 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp String found in binary or memory: http://www.xxx.com/qqmsg.txt
Source: chromecache_90.8.dr String found in binary or memory: https://btloader.com/tag?o=5097926782615552&upapi=true
Source: chromecache_98.8.dr, chromecache_104.8.dr, chromecache_106.8.dr, chromecache_108.8.dr String found in binary or memory: https://fonts.googleapis.com/css?family=
Source: chromecache_90.8.dr String found in binary or memory: https://img1.wsimg.com/parking-lander/static/css/main.ef90a627.css
Source: chromecache_90.8.dr String found in binary or memory: https://img1.wsimg.com/parking-lander/static/js/main.5bbf83b7.js
Source: wuauclt.exe, 0000002A.00000002.2235055048.00000000005B8000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2234500669.00000000005B7000.00000004.00000020.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2198638536.00000000005B7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.li
Source: sxs.exe, 00000000.00000002.2041399746.0000000000820000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.comC
Source: wuauclt.exe, 00000004.00000002.3253380639.00000000006B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.comx
Source: chromecache_98.8.dr, chromecache_104.8.dr, chromecache_106.8.dr, chromecache_108.8.dr String found in binary or memory: https://pagead2.googlesyndication.com/pagead/gen_204?id=tcfe
Source: chromecache_98.8.dr, chromecache_104.8.dr, chromecache_106.8.dr, chromecache_108.8.dr String found in binary or memory: https://partner.googleadservices.com/gampad/cookie.js
Source: chromecache_98.8.dr, chromecache_104.8.dr, chromecache_106.8.dr, chromecache_108.8.dr String found in binary or memory: https://syndicatedsearch.goog
Source: chromecache_90.8.dr String found in binary or memory: https://www.google.com/adsense/domains/caf.js?abp=1&gdabp=true
Source: chromecache_98.8.dr, chromecache_104.8.dr, chromecache_106.8.dr, chromecache_108.8.dr String found in binary or memory: https://www.google.com/pagead/1p-conversion/16521530460/?gad_source=1&adview_type=5
Source: chromecache_98.8.dr, chromecache_104.8.dr, chromecache_106.8.dr, chromecache_108.8.dr String found in binary or memory: https://www.googleadservices.com/pagead/conversion/16521530460/?gad_source=1&adview_type=3
Source: unknown Network traffic detected: HTTP traffic on port 53755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53790 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53787 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53796 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53793 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53809 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53749
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53747
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53772 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53743
Source: unknown Network traffic detected: HTTP traffic on port 53799 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53785 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53808 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 53800 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53759
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53758
Source: unknown Network traffic detected: HTTP traffic on port 53752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53750
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53756
Source: unknown Network traffic detected: HTTP traffic on port 53794 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53753
Source: unknown Network traffic detected: HTTP traffic on port 53763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53788 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 53780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53769
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53802
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53808
Source: unknown Network traffic detected: HTTP traffic on port 53751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53763
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53762
Source: unknown Network traffic detected: HTTP traffic on port 53759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53760
Source: unknown Network traffic detected: HTTP traffic on port 53774 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53800
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53765
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53764
Source: unknown Network traffic detected: HTTP traffic on port 53797 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53802 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53770
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53809
Source: unknown Network traffic detected: HTTP traffic on port 53779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53779
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53774
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53773
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53772
Source: unknown Network traffic detected: HTTP traffic on port 53811 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53811
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53777
Source: unknown Network traffic detected: HTTP traffic on port 53765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53780
Source: unknown Network traffic detected: HTTP traffic on port 53786 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53785
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53789
Source: unknown Network traffic detected: HTTP traffic on port 53795 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53788
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53787
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53786
Source: unknown Network traffic detected: HTTP traffic on port 53792 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53792
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53790
Source: unknown Network traffic detected: HTTP traffic on port 53762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53789 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53796
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53795
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53794
Source: unknown Network traffic detected: HTTP traffic on port 53773 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53793
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53799
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53798
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53797
Source: unknown Network traffic detected: HTTP traffic on port 53798 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53770 -> 443
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:53760 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:53773 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:53799 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:53809 version: TLS 1.2

System Summary
barindex
Uses regedit.exe to modify the Windows registry
Source: C:\Windows\wuauclt.exe Process created: C:\Windows\SysWOW64\regedit.exe "C:\Windows\System32\regedit.exe" /s C:\Windows\noruns.reg
Contains functionality to call native functions
Source: C:\Users\user\Desktop\sxs.exe Code function: 0_2_00404A98 PostQuitMessage,NtdllDefWindowProc_A, 0_2_00404A98
Source: C:\Windows\wuauclt.exe Code function: 4_2_00404A98 PostQuitMessage,NtdllDefWindowProc_A, 4_2_00404A98
Source: C:\Windows\wuauclt.exe Code function: 42_2_00404A98 PostQuitMessage,NtdllDefWindowProc_A, 42_2_00404A98
Creates files inside the system directory
Source: C:\Users\user\Desktop\sxs.exe File created: C:\Windows\wuauclt.exe Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe File created: C:\Windows\wuauclt.exe\:Zone.Identifier:$DATA Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe File created: C:\Windows\noruns.reg Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\wuauclt.exe File deleted: C:\Windows\noruns.reg Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\sxs.exe Code function: 0_3_00700C12 0_3_00700C12
Source: C:\Users\user\Desktop\sxs.exe Code function: 0_2_00406928 0_2_00406928
Source: C:\Windows\wuauclt.exe Code function: 4_3_005F0C12 4_3_005F0C12
Source: C:\Windows\wuauclt.exe Code function: 4_2_00406928 4_2_00406928
Source: C:\Windows\wuauclt.exe Code function: 42_3_02330C12 42_3_02330C12
Source: C:\Windows\wuauclt.exe Code function: 42_2_00406928 42_2_00406928
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\sxs.exe Code function: String function: 00403B5C appears 34 times
Source: C:\Users\user\Desktop\sxs.exe Code function: String function: 00404DD0 appears 36 times
Source: C:\Users\user\Desktop\sxs.exe Code function: String function: 00404854 appears 32 times
Source: C:\Users\user\Desktop\sxs.exe Code function: String function: 00403D4C appears 38 times
Source: C:\Windows\wuauclt.exe Code function: String function: 00403B5C appears 68 times
Source: C:\Windows\wuauclt.exe Code function: String function: 00404324 appears 34 times
Source: C:\Windows\wuauclt.exe Code function: String function: 00404DD0 appears 76 times
Source: C:\Windows\wuauclt.exe Code function: String function: 00404854 appears 64 times
Source: C:\Windows\wuauclt.exe Code function: String function: 004039F4 appears 44 times
Source: C:\Windows\wuauclt.exe Code function: String function: 00403D4C appears 78 times
Source: C:\Windows\wuauclt.exe Code function: String function: 00403BA0 appears 60 times
Uses 32bit PE files
Source: sxs.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: sxs.exe Static PE information: Section: es2z2 ZLIB complexity 1.1896551724137931
Source: wuauclt.exe.0.dr Static PE information: Section: es2z2 ZLIB complexity 1.1896551724137931
Source: classification engine Classification label: mal100.spre.evad.winEXE@103/58@67/16
Source: C:\Users\user\Desktop\sxs.exe Code function: 0_2_004047BC CreateToolhelp32Snapshot, 0_2_004047BC
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps Jump to behavior
Source: C:\Windows\wuauclt.exe Mutant created: \Sessions\1\BaseNamedObjects\KingsoftAntivirusScanProgram7Mutex
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7584:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8004:120:WilError_03
Source: C:\Windows\wuauclt.exe Mutant created: \Sessions\1\BaseNamedObjects\SKYNET_PERSONAL_FIREWALL
Source: C:\Windows\wuauclt.exe Mutant created: \Sessions\1\BaseNamedObjects\ASSISTSHELLMUTEX
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7924:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8036:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8124:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7772:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8056:120:WilError_03
Source: C:\Windows\wuauclt.exe Mutant created: \Sessions\1\BaseNamedObjects\AntiTrojan3721
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7436:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8108:120:WilError_03
Source: C:\Windows\wuauclt.exe Mutant created: \Sessions\1\BaseNamedObjects\VIRUS_ASMAPING_XZASDWRTTYEEWD82473M
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7932:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8060:120:WilError_03
Source: C:\Users\user\Desktop\sxs.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: unknown Process created: C:\Windows\explorer.exe
Source: C:\Windows\wuauclt.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: unknown Process created: C:\Windows\explorer.exe
Source: C:\Windows\wuauclt.exe Process created: C:\Windows\explorer.exe
Source: unknown Process created: C:\Windows\explorer.exe
Source: C:\Users\user\Desktop\sxs.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\wuauclt.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\wuauclt.exe Process created: C:\Windows\explorer.exe
Source: C:\Users\user\Desktop\sxs.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: sxs.exe ReversingLabs: Detection: 91%
Source: C:\Users\user\Desktop\sxs.exe File read: C:\Users\user\Desktop\sxs.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\sxs.exe "C:\Users\user\Desktop\sxs.exe"
Source: C:\Users\user\Desktop\sxs.exe Process created: C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe"
Source: C:\Users\user\Desktop\sxs.exe Process created: C:\Windows\SysWOW64\explorer.exe "C:\Windows\System32\explorer.exe" http://www.onefordvd.com
Source: C:\Users\user\Desktop\sxs.exe Process created: C:\Windows\wuauclt.exe "C:\Windows\wuauclt.exe"
Source: unknown Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: C:\Windows\explorer.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://www.onefordvd.com/
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=2068,i,10012621105845313477,5144001626182359971,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\wuauclt.exe Process created: C:\Windows\SysWOW64\explorer.exe "C:\Windows\System32\explorer.exe" http://www.onefordvd.com
Source: C:\Windows\wuauclt.exe Process created: C:\Windows\SysWOW64\regedit.exe "C:\Windows\System32\regedit.exe" /s C:\Windows\noruns.reg
Source: C:\Windows\wuauclt.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" stop sharedaccess
Source: unknown Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: C:\Windows\wuauclt.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" stop KVWSC
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\wuauclt.exe Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" config KVWSC start= disabled
Source: C:\Windows\wuauclt.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" stop KVSrvXP
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\wuauclt.exe Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" config KVSrvXP start= disabled
Source: C:\Windows\SysWOW64\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\wuauclt.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" stop kavsvc
Source: C:\Windows\wuauclt.exe Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" config kavsvc start= disabled
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\wuauclt.exe Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" config RsRavMon start= disabled
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop sharedaccess
Source: C:\Windows\wuauclt.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" stop RsCCenter
Source: C:\Windows\SysWOW64\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop KVWSC
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\wuauclt.exe Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" config RsCCenter start= disabled
Source: C:\Windows\SysWOW64\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\wuauclt.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" stop RsRavMon
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop KVSrvXP
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop kavsvc
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop RsCCenter
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop RsRavMon
Source: C:\Windows\explorer.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://www.onefordvd.com/
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=2004,i,8456847473545843836,6778845690688114268,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown Process created: C:\Windows\wuauclt.exe "C:\Windows\wuauclt.exe"
Source: C:\Windows\wuauclt.exe Process created: C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe"
Source: C:\Windows\wuauclt.exe Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" http://www.dvdforone.com
Source: unknown Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: C:\Windows\explorer.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://www.dvdforone.com/
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=2028,i,12403838513569625985,14954567300867270703,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\sxs.exe Process created: C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe Process created: C:\Windows\SysWOW64\explorer.exe "C:\Windows\System32\explorer.exe" http://www.onefordvd.com Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe Process created: C:\Windows\wuauclt.exe "C:\Windows\wuauclt.exe" Jump to behavior
Source: C:\Windows\wuauclt.exe Process created: C:\Windows\SysWOW64\explorer.exe "C:\Windows\System32\explorer.exe" http://www.onefordvd.com Jump to behavior
Source: C:\Windows\wuauclt.exe Process created: C:\Windows\SysWOW64\regedit.exe "C:\Windows\System32\regedit.exe" /s C:\Windows\noruns.reg Jump to behavior
Source: C:\Windows\wuauclt.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" stop sharedaccess Jump to behavior
Source: C:\Windows\wuauclt.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" stop KVWSC Jump to behavior
Source: C:\Windows\wuauclt.exe Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" config KVWSC start= disabled Jump to behavior
Source: C:\Windows\wuauclt.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" stop KVSrvXP Jump to behavior
Source: C:\Windows\wuauclt.exe Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" config KVSrvXP start= disabled Jump to behavior
Source: C:\Windows\wuauclt.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" stop kavsvc Jump to behavior
Source: C:\Windows\wuauclt.exe Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" config kavsvc start= disabled Jump to behavior
Source: C:\Windows\wuauclt.exe Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" config RsRavMon start= disabled Jump to behavior
Source: C:\Windows\wuauclt.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" stop RsCCenter Jump to behavior
Source: C:\Windows\wuauclt.exe Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" config RsCCenter start= disabled Jump to behavior
Source: C:\Windows\wuauclt.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" stop RsRavMon Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://www.onefordvd.com/ Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=2068,i,10012621105845313477,5144001626182359971,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop sharedaccess
Source: C:\Windows\explorer.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://www.onefordvd.com/
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop KVWSC
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop KVSrvXP
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop kavsvc
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop RsCCenter
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop RsRavMon
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=2004,i,8456847473545843836,6778845690688114268,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\wuauclt.exe Process created: C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe"
Source: C:\Windows\wuauclt.exe Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" http://www.dvdforone.com
Source: C:\Windows\explorer.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://www.dvdforone.com/
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=2028,i,12403838513569625985,14954567300867270703,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\sxs.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: aepic.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: twinapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: ninput.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: actxprxy.dll Jump to behavior
Source: C:\Windows\wuauclt.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\wuauclt.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\wuauclt.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\wuauclt.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\wuauclt.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\wuauclt.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\wuauclt.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\wuauclt.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\wuauclt.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\wuauclt.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\wuauclt.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\wuauclt.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\wuauclt.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\wuauclt.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\wuauclt.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\wuauclt.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\wuauclt.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\wuauclt.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\wuauclt.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\wuauclt.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\wuauclt.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\wuauclt.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\wuauclt.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\wuauclt.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\wuauclt.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\wuauclt.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\wuauclt.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\wuauclt.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\wuauclt.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\wuauclt.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: aepic.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: twinapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ninput.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: actxprxy.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.shell.servicehostbuilder.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: aepic.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: twinapi.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: powrprof.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dxgi.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wtsapi32.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: umpdc.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: ninput.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: explorerframe.dll
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: actxprxy.dll
Source: C:\Windows\SysWOW64\regedit.exe Section loaded: authz.dll
Source: C:\Windows\SysWOW64\regedit.exe Section loaded: aclui.dll
Source: C:\Windows\SysWOW64\regedit.exe Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\regedit.exe Section loaded: clb.dll
Source: C:\Windows\SysWOW64\regedit.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\regedit.exe Section loaded: ntdsapi.dll
Source: C:\Windows\SysWOW64\regedit.exe Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe Section loaded: aepic.dll
Source: C:\Windows\explorer.exe Section loaded: twinapi.dll
Source: C:\Windows\explorer.exe Section loaded: userenv.dll
Source: C:\Windows\explorer.exe Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe Section loaded: dxgi.dll
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe Section loaded: propsys.dll
Source: C:\Windows\explorer.exe Section loaded: coremessaging.dll
Source: C:\Windows\explorer.exe Section loaded: urlmon.dll
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe Section loaded: wtsapi32.dll
Source: C:\Windows\explorer.exe Section loaded: wininet.dll
Source: C:\Windows\explorer.exe Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe Section loaded: dwmapi.dll
Source: C:\Windows\explorer.exe Section loaded: sspicli.dll
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\explorer.exe Section loaded: ntmarta.dll
Source: C:\Windows\explorer.exe Section loaded: cryptsp.dll
Source: C:\Windows\explorer.exe Section loaded: wldp.dll
Source: C:\Windows\explorer.exe Section loaded: iertutil.dll
Source: C:\Windows\explorer.exe Section loaded: srvcli.dll
Source: C:\Windows\explorer.exe Section loaded: netutils.dll
Source: C:\Windows\explorer.exe Section loaded: umpdc.dll
Source: C:\Windows\explorer.exe Section loaded: ninput.dll
Source: C:\Windows\explorer.exe Section loaded: explorerframe.dll
Source: C:\Windows\explorer.exe Section loaded: actxprxy.dll
Source: C:\Windows\explorer.exe Section loaded: windows.shell.servicehostbuilder.dll
Source: C:\Windows\explorer.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\explorer.exe Section loaded: ieframe.dll
Source: C:\Windows\explorer.exe Section loaded: netapi32.dll
Source: C:\Windows\explorer.exe Section loaded: version.dll
Source: C:\Windows\explorer.exe Section loaded: winhttp.dll
Source: C:\Windows\explorer.exe Section loaded: wkscli.dll
Source: C:\Windows\explorer.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\explorer.exe Section loaded: edputil.dll
Source: C:\Windows\explorer.exe Section loaded: secur32.dll
Source: C:\Windows\explorer.exe Section loaded: mlang.dll
Source: C:\Windows\explorer.exe Section loaded: profapi.dll
Source: C:\Windows\explorer.exe Section loaded: policymanager.dll
Source: C:\Windows\explorer.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\explorer.exe Section loaded: wintypes.dll
Source: C:\Windows\explorer.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\explorer.exe Section loaded: pcacli.dll
Source: C:\Windows\explorer.exe Section loaded: mpr.dll
Source: C:\Windows\explorer.exe Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe Section loaded: cryptbase.dll
Source: C:\Windows\wuauclt.exe Section loaded: wininet.dll
Source: C:\Windows\wuauclt.exe Section loaded: urlmon.dll
Source: C:\Windows\wuauclt.exe Section loaded: iertutil.dll
Source: C:\Windows\wuauclt.exe Section loaded: srvcli.dll
Source: C:\Windows\wuauclt.exe Section loaded: netutils.dll
Source: C:\Windows\wuauclt.exe Section loaded: apphelp.dll
Source: C:\Windows\wuauclt.exe Section loaded: sspicli.dll
Source: C:\Windows\wuauclt.exe Section loaded: windows.storage.dll
Source: C:\Windows\wuauclt.exe Section loaded: wldp.dll
Source: C:\Windows\wuauclt.exe Section loaded: profapi.dll
Source: C:\Windows\wuauclt.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\wuauclt.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\wuauclt.exe Section loaded: winhttp.dll
Source: C:\Windows\wuauclt.exe Section loaded: iphlpapi.dll
Source: C:\Windows\wuauclt.exe Section loaded: mswsock.dll
Source: C:\Windows\wuauclt.exe Section loaded: winnsi.dll
Source: C:\Windows\wuauclt.exe Section loaded: uxtheme.dll
Source: C:\Windows\wuauclt.exe Section loaded: dnsapi.dll
Source: C:\Windows\wuauclt.exe Section loaded: rasadhlp.dll
Source: C:\Windows\wuauclt.exe Section loaded: textshaping.dll
Source: C:\Windows\wuauclt.exe Section loaded: textinputframework.dll
Source: C:\Windows\wuauclt.exe Section loaded: coreuicomponents.dll
Source: C:\Windows\wuauclt.exe Section loaded: coremessaging.dll
Source: C:\Windows\wuauclt.exe Section loaded: ntmarta.dll
Source: C:\Windows\wuauclt.exe Section loaded: coremessaging.dll
Source: C:\Windows\wuauclt.exe Section loaded: wintypes.dll
Source: C:\Windows\wuauclt.exe Section loaded: wintypes.dll
Source: C:\Windows\wuauclt.exe Section loaded: wintypes.dll
Source: C:\Windows\wuauclt.exe Section loaded: propsys.dll
Source: C:\Windows\wuauclt.exe Section loaded: edputil.dll
Source: C:\Windows\wuauclt.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\wuauclt.exe Section loaded: appresolver.dll
Source: C:\Windows\wuauclt.exe Section loaded: bcp47langs.dll
Source: C:\Windows\wuauclt.exe Section loaded: slc.dll
Source: C:\Windows\wuauclt.exe Section loaded: userenv.dll
Source: C:\Windows\wuauclt.exe Section loaded: sppc.dll
Source: C:\Windows\wuauclt.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\wuauclt.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\explorer.exe Section loaded: aepic.dll
Source: C:\Windows\explorer.exe Section loaded: twinapi.dll
Source: C:\Windows\explorer.exe Section loaded: userenv.dll
Source: C:\Windows\explorer.exe Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe Section loaded: dxgi.dll
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe Section loaded: propsys.dll
Source: C:\Windows\explorer.exe Section loaded: coremessaging.dll
Source: C:\Windows\explorer.exe Section loaded: urlmon.dll
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe Section loaded: wtsapi32.dll
Source: C:\Windows\explorer.exe Section loaded: wininet.dll
Source: C:\Windows\explorer.exe Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe Section loaded: dwmapi.dll
Source: C:\Windows\explorer.exe Section loaded: sspicli.dll
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\explorer.exe Section loaded: ntmarta.dll
Source: C:\Windows\explorer.exe Section loaded: cryptsp.dll
Source: C:\Windows\explorer.exe Section loaded: wldp.dll
Source: C:\Windows\explorer.exe Section loaded: iertutil.dll
Source: C:\Windows\explorer.exe Section loaded: srvcli.dll
Source: C:\Windows\explorer.exe Section loaded: netutils.dll
Source: C:\Windows\explorer.exe Section loaded: umpdc.dll
Source: C:\Windows\explorer.exe Section loaded: ninput.dll
Source: C:\Windows\explorer.exe Section loaded: explorerframe.dll
Source: C:\Windows\explorer.exe Section loaded: actxprxy.dll
Source: C:\Windows\explorer.exe Section loaded: aepic.dll
Source: C:\Windows\explorer.exe Section loaded: twinapi.dll
Source: C:\Windows\explorer.exe Section loaded: userenv.dll
Source: C:\Windows\explorer.exe Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe Section loaded: dxgi.dll
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe Section loaded: propsys.dll
Source: C:\Windows\explorer.exe Section loaded: coremessaging.dll
Source: C:\Windows\explorer.exe Section loaded: urlmon.dll
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe Section loaded: wtsapi32.dll
Source: C:\Windows\explorer.exe Section loaded: wininet.dll
Source: C:\Windows\explorer.exe Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe Section loaded: dwmapi.dll
Source: C:\Windows\explorer.exe Section loaded: sspicli.dll
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\explorer.exe Section loaded: wldp.dll
Source: C:\Windows\explorer.exe Section loaded: iertutil.dll
Source: C:\Windows\explorer.exe Section loaded: srvcli.dll
Source: C:\Windows\explorer.exe Section loaded: netutils.dll
Source: C:\Windows\explorer.exe Section loaded: ntmarta.dll
Source: C:\Windows\explorer.exe Section loaded: cryptsp.dll
Source: C:\Windows\explorer.exe Section loaded: umpdc.dll
Source: C:\Windows\explorer.exe Section loaded: ninput.dll
Source: C:\Windows\explorer.exe Section loaded: explorerframe.dll
Source: C:\Windows\explorer.exe Section loaded: actxprxy.dll
Source: C:\Windows\explorer.exe Section loaded: windows.shell.servicehostbuilder.dll
Source: C:\Windows\explorer.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\explorer.exe Section loaded: ieframe.dll
Source: C:\Windows\explorer.exe Section loaded: netapi32.dll
Source: C:\Windows\explorer.exe Section loaded: version.dll
Source: C:\Windows\explorer.exe Section loaded: winhttp.dll
Source: C:\Windows\explorer.exe Section loaded: wkscli.dll
Source: C:\Windows\explorer.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\explorer.exe Section loaded: edputil.dll
Source: C:\Windows\explorer.exe Section loaded: secur32.dll
Source: C:\Windows\explorer.exe Section loaded: mlang.dll
Source: C:\Windows\explorer.exe Section loaded: profapi.dll
Source: C:\Windows\explorer.exe Section loaded: policymanager.dll
Source: C:\Windows\explorer.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\explorer.exe Section loaded: wintypes.dll
Source: C:\Windows\explorer.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\explorer.exe Section loaded: pcacli.dll
Source: C:\Windows\explorer.exe Section loaded: mpr.dll
Source: C:\Windows\explorer.exe Section loaded: sfc_os.dll
Source: C:\Users\user\Desktop\sxs.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: Google Drive.lnk.6.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.6.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.6.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.6.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.6.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.6.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\explorer.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Access\Capabilities\UrlAssociations Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\sxs.exe Code function: 0_3_00741BC1 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,VirtualAlloc,CloseHandle,VirtualFree,EnumProcesses,OpenProcess,EnumProcessModules,OpenProcess,CreateProcessA,GetInputState,GetCurrentThreadId,PostThreadMessageA,GetMessageA,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualFreeEx,CloseHandle,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,WriteProcessMemory,ResumeThread,GetInputState,GetCurrentThreadId,PostThreadMessageA,GetMessageA,WaitForSingleObject,CreateRemoteThread,SetThreadPriority,WaitForSingleObject,VirtualFreeEx,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 0_3_00741BC1
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: es2z1
PE file contains sections with non-standard names
Source: sxs.exe Static PE information: section name: es2z0
Source: sxs.exe Static PE information: section name: es2z1
Source: sxs.exe Static PE information: section name: es2z2
Source: wuauclt.exe.0.dr Static PE information: section name: es2z0
Source: wuauclt.exe.0.dr Static PE information: section name: es2z1
Source: wuauclt.exe.0.dr Static PE information: section name: es2z2
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\sxs.exe Code function: 0_3_00741C0A push 90909090h; ret 0_3_00741C19
Source: C:\Users\user\Desktop\sxs.exe Code function: 0_2_00404024 push 00404075h; ret 0_2_0040406D
Source: C:\Users\user\Desktop\sxs.exe Code function: 0_2_004068D0 push ecx; mov dword ptr [esp], 00000007h 0_2_004068D1
Source: C:\Users\user\Desktop\sxs.exe Code function: 0_2_00408494 push ecx; mov dword ptr [esp], 00000007h 0_2_00408495
Source: C:\Users\user\Desktop\sxs.exe Code function: 0_2_0040481C push 00404848h; ret 0_2_00404840
Source: C:\Users\user\Desktop\sxs.exe Code function: 0_2_00404022 push 00404075h; ret 0_2_0040406D
Source: C:\Users\user\Desktop\sxs.exe Code function: 0_2_004068F0 push 0040691Ch; ret 0_2_00406914
Source: C:\Users\user\Desktop\sxs.exe Code function: 0_2_004051C8 push 004052A8h; ret 0_2_004052A0
Source: C:\Users\user\Desktop\sxs.exe Code function: 0_2_004051CC push 004052A8h; ret 0_2_004052A0
Source: C:\Users\user\Desktop\sxs.exe Code function: 0_2_0043C9EE push ebx; mov dword ptr [esp], 41912273h 0_2_0043CA0C
Source: C:\Users\user\Desktop\sxs.exe Code function: 0_2_0043C9EE push ecx; mov dword ptr [esp], eax 0_2_0043CA60
Source: C:\Users\user\Desktop\sxs.exe Code function: 0_2_004041F4 push 00404220h; ret 0_2_00404218
Source: C:\Users\user\Desktop\sxs.exe Code function: 0_2_0043C9F4 push ebx; mov dword ptr [esp], 41912273h 0_2_0043CA0C
Source: C:\Users\user\Desktop\sxs.exe Code function: 0_2_0043C9F4 push ecx; mov dword ptr [esp], eax 0_2_0043CA60
Source: C:\Users\user\Desktop\sxs.exe Code function: 0_2_0043A99B push eax; ret 0_2_0043A99C
Source: C:\Users\user\Desktop\sxs.exe Code function: 0_2_0043C1B1 push ecx; mov dword ptr [esp], eax 0_2_0043C1EA
Source: C:\Users\user\Desktop\sxs.exe Code function: 0_2_00439A74 push esi; ret 0_2_00439A80
Source: C:\Users\user\Desktop\sxs.exe Code function: 0_2_00439A26 push esi; ret 0_2_00439A80
Source: C:\Users\user\Desktop\sxs.exe Code function: 0_2_0040422C push 00404258h; ret 0_2_00404250
Source: C:\Users\user\Desktop\sxs.exe Code function: 0_2_0043AACF push AA6B2F6Ah; rep ret 0_2_0043AAD4
Source: C:\Users\user\Desktop\sxs.exe Code function: 0_2_004052F2 push 00405320h; ret 0_2_00405318
Source: C:\Users\user\Desktop\sxs.exe Code function: 0_2_004052F4 push 00405320h; ret 0_2_00405318
Source: C:\Users\user\Desktop\sxs.exe Code function: 0_2_004052B4 push 004052E0h; ret 0_2_004052D8
Source: C:\Users\user\Desktop\sxs.exe Code function: 0_2_00405364 push 00405390h; ret 0_2_00405388
Source: C:\Users\user\Desktop\sxs.exe Code function: 0_2_00408B1C push 00408B42h; ret 0_2_00408B3A
Source: C:\Users\user\Desktop\sxs.exe Code function: 0_2_0040532C push 00405358h; ret 0_2_00405350
Source: C:\Users\user\Desktop\sxs.exe Code function: 0_2_0043CBFC push edi; mov dword ptr [esp], edx 0_2_0043CC3C
Source: C:\Users\user\Desktop\sxs.exe Code function: 0_2_004053AA push 004053D8h; ret 0_2_004053D0
Source: C:\Users\user\Desktop\sxs.exe Code function: 0_2_004053AC push 004053D8h; ret 0_2_004053D0
Source: C:\Users\user\Desktop\sxs.exe Code function: 0_2_00404448 push 00404474h; ret 0_2_0040446C
Source: C:\Users\user\Desktop\sxs.exe Code function: 0_2_0043CC1B push edi; mov dword ptr [esp], edx 0_2_0043CC3C
Source: sxs.exe Static PE information: section name: es2z1 entropy: 7.783668165941755
Source: wuauclt.exe.0.dr Static PE information: section name: es2z1 entropy: 7.783668165941755

Persistence and Installation Behavior
barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Users\user\Desktop\sxs.exe Executable created and started: C:\Windows\wuauclt.exe Jump to behavior
Contains functionality to download and launch executables
Source: C:\Users\user\Desktop\sxs.exe Code function: 0_2_00407BEC URLDownloadToFileA,Sleep,CopyFileA,Sleep,ShellExecuteA, 0_2_00407BEC
Drops PE files
Source: C:\Users\user\Desktop\sxs.exe File created: C:\Windows\wuauclt.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\sxs.exe File created: C:\Windows\wuauclt.exe Jump to dropped file
Stores files to the Windows start menu directory
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk Jump to behavior
Uses net.exe to stop services
Source: C:\Windows\wuauclt.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" stop sharedaccess
Source: C:\Users\user\Desktop\sxs.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Microsoft Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Microsoft Jump to behavior
Source: C:\Windows\wuauclt.exe Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" config KVWSC start= disabled
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\sxs.exe Code function: 0_3_00741BC1 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,VirtualAlloc,CloseHandle,VirtualFree,EnumProcesses,OpenProcess,EnumProcessModules,OpenProcess,CreateProcessA,GetInputState,GetCurrentThreadId,PostThreadMessageA,GetMessageA,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualFreeEx,CloseHandle,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,WriteProcessMemory,ResumeThread,GetInputState,GetCurrentThreadId,PostThreadMessageA,GetMessageA,WaitForSingleObject,CreateRemoteThread,SetThreadPriority,WaitForSingleObject,VirtualFreeEx,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 0_3_00741BC1
Source: C:\Users\user\Desktop\sxs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\wuauclt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\regedit.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\wuauclt.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\Desktop\sxs.exe Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: wuauclt.exe, 0000002A.00000003.2177763585.00000000021F0000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: HTTP://WWW.TW7890.COM/TWV/HELP.EXEHTTP://WWW.OM7890.COM/MFX/HELP.EXEHTTP://WWW.HG7890.COM/HGB/HELP.EXEHTTP://WWW.GAMESRB.COM/RBM/HELP.EXES5CREDMGR.EXE;MINISNIFFER.EXE;PACKETCAPTURE.EXE;PEEPNET.EXE;CAPTURENET.EXE;WIRESHARK.EXE;APS.EXE;SOCKMON5.EXE;GAMETROYHORSEDETECT.EXE;FILEMON.EXE;REGMON.EXE;CAPTURE;SNIFFER;
Source: wuauclt.exe, 0000002A.00000003.2177763585.00000000021F0000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: S5CREDMGR.EXE;MINISNIFFER.EXE;PACKETCAPTURE.EXE;PEEPNET.EXE;CAPTURENET.EXE;WIRESHARK.EXE;APS.EXE;SOCKMON5.EXE;GAMETROYHORSEDETECT.EXE;FILEMON.EXE;REGMON.EXE;
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\sxs.exe Thread delayed: delay time: 480000 Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe Thread delayed: delay time: 900000 Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe Thread delayed: delay time: 1800000 Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe Thread delayed: delay time: 300000 Jump to behavior
Source: C:\Windows\wuauclt.exe Thread delayed: delay time: 900000 Jump to behavior
Source: C:\Windows\wuauclt.exe Thread delayed: delay time: 1800000 Jump to behavior
Source: C:\Windows\wuauclt.exe Thread delayed: delay time: 300000 Jump to behavior
Source: C:\Windows\wuauclt.exe Thread delayed: delay time: 480000
Source: C:\Windows\wuauclt.exe Thread delayed: delay time: 900000
Source: C:\Windows\wuauclt.exe Thread delayed: delay time: 1800000
Source: C:\Windows\wuauclt.exe Thread delayed: delay time: 300000
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\sxs.exe TID: 5704 Thread sleep time: -480000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe TID: 5272 Thread sleep time: -900000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe TID: 5528 Thread sleep time: -1800000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe TID: 5304 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Windows\wuauclt.exe TID: 7804 Thread sleep time: -900000s >= -30000s Jump to behavior
Source: C:\Windows\wuauclt.exe TID: 7808 Thread sleep time: -1800000s >= -30000s Jump to behavior
Source: C:\Windows\wuauclt.exe TID: 7812 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Windows\wuauclt.exe TID: 9168 Thread sleep time: -480000s >= -30000s
Source: C:\Windows\wuauclt.exe TID: 8288 Thread sleep time: -900000s >= -30000s
Source: C:\Windows\wuauclt.exe TID: 8260 Thread sleep time: -1800000s >= -30000s
Source: C:\Windows\wuauclt.exe TID: 8252 Thread sleep time: -300000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\sxs.exe Code function: 0_2_00404C8C FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 0_2_00404C8C
Source: C:\Windows\wuauclt.exe Code function: 4_2_00404C8C FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 4_2_00404C8C
Source: C:\Windows\wuauclt.exe Code function: 42_2_00404C8C FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 42_2_00404C8C
Source: C:\Users\user\Desktop\sxs.exe Thread delayed: delay time: 480000 Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe Thread delayed: delay time: 900000 Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe Thread delayed: delay time: 1800000 Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe Thread delayed: delay time: 300000 Jump to behavior
Source: C:\Windows\wuauclt.exe Thread delayed: delay time: 900000 Jump to behavior
Source: C:\Windows\wuauclt.exe Thread delayed: delay time: 1800000 Jump to behavior
Source: C:\Windows\wuauclt.exe Thread delayed: delay time: 300000 Jump to behavior
Source: C:\Windows\wuauclt.exe Thread delayed: delay time: 480000
Source: C:\Windows\wuauclt.exe Thread delayed: delay time: 900000
Source: C:\Windows\wuauclt.exe Thread delayed: delay time: 1800000
Source: C:\Windows\wuauclt.exe Thread delayed: delay time: 300000
Source: wuauclt.exe, 00000004.00000002.3253380639.000000000066E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllV
Source: explorer.exe, 0000002E.00000003.2804551864.0000000000565000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}
Source: explorer.exe, 00000005.00000002.2639171790.0000000000F6D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}m
Source: explorer.exe, 0000000C.00000002.2676620417.00000000014CD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: sxs.exe, 00000000.00000002.2041399746.00000000007DE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllV_
Source: wuauclt.exe, 0000002A.00000002.2234954053.000000000055B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllDq5k
Source: explorer.exe, 0000000C.00000002.2676620417.00000000014AB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:@
Source: C:\Users\user\Desktop\sxs.exe API call chain: ExitProcess graph end node
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\sxs.exe Code function: 0_2_00439FF4 LdrInitializeThunk, 0_2_00439FF4
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\sxs.exe Code function: 0_3_00741BC1 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,VirtualAlloc,CloseHandle,VirtualFree,EnumProcesses,OpenProcess,EnumProcessModules,OpenProcess,CreateProcessA,GetInputState,GetCurrentThreadId,PostThreadMessageA,GetMessageA,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualFreeEx,CloseHandle,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,WriteProcessMemory,ResumeThread,GetInputState,GetCurrentThreadId,PostThreadMessageA,GetMessageA,WaitForSingleObject,CreateRemoteThread,SetThreadPriority,WaitForSingleObject,VirtualFreeEx,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 0_3_00741BC1
Source: C:\Users\user\Desktop\sxs.exe Memory protected: page execute read | page execute and read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\sxs.exe Memory allocated: C:\Program Files\Internet Explorer\iexplore.exe base: 100000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\wuauclt.exe Memory allocated: C:\Program Files\Internet Explorer\iexplore.exe base: D50000 protect: page execute and read and write
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\sxs.exe Code function: 0_3_00741BC1 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,VirtualAlloc,CloseHandle,VirtualFree,EnumProcesses,OpenProcess,EnumProcessModules,OpenProcess,CreateProcessA,GetInputState,GetCurrentThreadId,PostThreadMessageA,GetMessageA,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualFreeEx,CloseHandle,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,WriteProcessMemory,ResumeThread,GetInputState,GetCurrentThreadId,PostThreadMessageA,GetMessageA,WaitForSingleObject,CreateRemoteThread,SetThreadPriority,WaitForSingleObject,VirtualFreeEx,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 0_3_00741BC1
Contains functionality to inject threads in other processes
Source: C:\Users\user\Desktop\sxs.exe Code function: 0_3_00741BC1 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,VirtualAlloc,CloseHandle,VirtualFree,EnumProcesses,OpenProcess,EnumProcessModules,OpenProcess,CreateProcessA,GetInputState,GetCurrentThreadId,PostThreadMessageA,GetMessageA,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualFreeEx,CloseHandle,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,WriteProcessMemory,ResumeThread,GetInputState,GetCurrentThreadId,PostThreadMessageA,GetMessageA,WaitForSingleObject,CreateRemoteThread,SetThreadPriority,WaitForSingleObject,VirtualFreeEx,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 0_3_00741BC1
Source: C:\Windows\wuauclt.exe Code function: 42_3_02311BC1 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,VirtualAlloc,CloseHandle,VirtualFree,EnumProcesses,OpenProcess,EnumProcessModules,OpenProcess,CreateProcessA,GetInputState,GetCurrentThreadId,PostThreadMessageA,GetMessageA,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualFreeEx,CloseHandle,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,WriteProcessMemory,ResumeThread,GetInputState,GetCurrentThreadId,PostThreadMessageA,GetMessageA,WaitForSingleObject,CreateRemoteThread,SetThreadPriority,WaitForSingleObject,VirtualFreeEx,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 42_3_02311BC1
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\sxs.exe Memory written: C:\Program Files\Internet Explorer\iexplore.exe base: 100000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\wuauclt.exe Memory written: C:\Program Files\Internet Explorer\iexplore.exe base: D50000 value starts with: 4D5A
Writes to foreign memory regions
Source: C:\Users\user\Desktop\sxs.exe Memory written: C:\Program Files\Internet Explorer\iexplore.exe base: 100000 Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe Memory written: C:\Program Files\Internet Explorer\iexplore.exe base: 101A36 Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe Memory written: C:\Program Files\Internet Explorer\iexplore.exe base: 101A3B Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe Memory written: C:\Program Files\Internet Explorer\iexplore.exe base: 101A59 Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe Memory written: C:\Program Files\Internet Explorer\iexplore.exe base: 101A59 Jump to behavior
Source: C:\Windows\wuauclt.exe Memory written: C:\Program Files\Internet Explorer\iexplore.exe base: D50000
Source: C:\Windows\wuauclt.exe Memory written: C:\Program Files\Internet Explorer\iexplore.exe base: D51A36
Source: C:\Windows\wuauclt.exe Memory written: C:\Program Files\Internet Explorer\iexplore.exe base: D51A3B
Source: C:\Windows\wuauclt.exe Memory written: C:\Program Files\Internet Explorer\iexplore.exe base: D51A59
Source: C:\Windows\wuauclt.exe Memory written: C:\Program Files\Internet Explorer\iexplore.exe base: D51A59
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\sxs.exe Process created: C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe Process created: C:\Windows\SysWOW64\explorer.exe "C:\Windows\System32\explorer.exe" http://www.onefordvd.com Jump to behavior
Source: C:\Users\user\Desktop\sxs.exe Process created: C:\Windows\wuauclt.exe "C:\Windows\wuauclt.exe" Jump to behavior
Source: C:\Windows\wuauclt.exe Process created: C:\Windows\SysWOW64\explorer.exe "C:\Windows\System32\explorer.exe" http://www.onefordvd.com Jump to behavior
Source: C:\Windows\wuauclt.exe Process created: C:\Windows\SysWOW64\regedit.exe "C:\Windows\System32\regedit.exe" /s C:\Windows\noruns.reg Jump to behavior
Source: C:\Windows\wuauclt.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" stop sharedaccess Jump to behavior
Source: C:\Windows\wuauclt.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" stop KVWSC Jump to behavior
Source: C:\Windows\wuauclt.exe Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" config KVWSC start= disabled Jump to behavior
Source: C:\Windows\wuauclt.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" stop KVSrvXP Jump to behavior
Source: C:\Windows\wuauclt.exe Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" config KVSrvXP start= disabled Jump to behavior
Source: C:\Windows\wuauclt.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" stop kavsvc Jump to behavior
Source: C:\Windows\wuauclt.exe Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" config kavsvc start= disabled Jump to behavior
Source: C:\Windows\wuauclt.exe Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" config RsRavMon start= disabled Jump to behavior
Source: C:\Windows\wuauclt.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" stop RsCCenter Jump to behavior
Source: C:\Windows\wuauclt.exe Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" config RsCCenter start= disabled Jump to behavior
Source: C:\Windows\wuauclt.exe Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" stop RsRavMon Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop sharedaccess
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop KVWSC
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop KVSrvXP
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop kavsvc
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop RsCCenter
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop RsRavMon
Source: C:\Windows\wuauclt.exe Process created: C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe"
Source: C:\Windows\wuauclt.exe Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" http://www.dvdforone.com
Source: wuauclt.exe, 00000004.00000002.3253732346.0000000002105000.00000004.00001000.00020000.00000000.sdmp, wuauclt.exe, 0000002A.00000003.2234129206.00000000023B5000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: wuauclt.exe, 0000002A.00000003.2234129206.00000000023B5000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: Program ManagerhNotificationAreaIconWindowClassut Application
Source: wuauclt.exe, 00000004.00000002.3253732346.0000000002105000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: Program ManagerhNotificationAreaIconWindowClass
Source: C:\Users\user\Desktop\sxs.exe Code function: 0_2_00402728 GetSystemTime, 0_2_00402728
Source: C:\Users\user\Desktop\sxs.exe Code function: 0_3_007418A1 GetVersionExA, 0_3_007418A1
AV process strings found (often used to terminate AV products)
Source: wuauclt.exe, wuauclt.exe, 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp Binary or memory string: kavstart.exe
Source: wuauclt.exe, wuauclt.exe, 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp Binary or memory string: CCenter.exe
Source: wuauclt.exe, wuauclt.exe, 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp Binary or memory string: KavPFW.exe
Source: wuauclt.exe, wuauclt.exe, 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp Binary or memory string: Kav.exe
Source: wuauclt.exe, wuauclt.exe, 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp Binary or memory string: kav32.exe
Source: wuauclt.exe, wuauclt.exe, 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp Binary or memory string: Kvsrvxp.exe
Source: wuauclt.exe, wuauclt.exe, 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp Binary or memory string: kavsvc.exe
Source: wuauclt.exe, wuauclt.exe, 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp Binary or memory string: RavMonD.exe
Source: wuauclt.exe, wuauclt.exe, 0000002A.00000002.2234707421.0000000000401000.00000004.00000001.01000000.00000007.sdmp Binary or memory string: Rtvscan.exe
Contains functionality to search for IE or Outlook window (often done to steal information)
Source: C:\Windows\wuauclt.exe Code function: 4_2_0040558C FindWindowA,EnumChildWindows,FindWindowExA, 4_2_0040558C
Source: C:\Windows\wuauclt.exe Code function: 42_2_0040558C FindWindowA,EnumChildWindows,FindWindowExA, 42_2_0040558C
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1501290 Sample: sxs.exe Startdate: 29/08/2024 Architecture: WINDOWS Score: 100 75 www.dvdforone.com 2->75 77 msg.tmhacker.com 2->77 79 1861119.com 2->79 93 Antivirus detection for URL or domain 2->93 95 Antivirus / Scanner detection for submitted sample 2->95 97 Multi AV Scanner detection for submitted file 2->97 99 Machine Learning detection for sample 2->99 9 sxs.exe 2 16 2->9         started        13 wuauclt.exe 2->13         started        15 explorer.exe 12 2->15         started        17 2 other processes 2->17 signatures3 process4 file5 69 C:\Windows\wuauclt.exe, MS-DOS 9->69 dropped 71 C:\Windows\wuauclt.exe:Zone.Identifier, ASCII 9->71 dropped 73 C:\Windows\noruns.reg, Windows 9->73 dropped 111 Found evasive API chain (may stop execution after checking mutex) 9->111 113 Contains functionality to inject threads in other processes 9->113 115 Drops executables to the windows directory (C:\Windows) and starts them 9->115 123 2 other signatures 9->123 19 wuauclt.exe 13 9->19         started        22 explorer.exe 9->22         started        24 iexplore.exe 9->24         started        117 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 13->117 119 Writes to foreign memory regions 13->119 121 Allocates memory in foreign processes 13->121 26 iexplore.exe 13->26         started        28 explorer.exe 13->28         started        30 chrome.exe 8 15->30         started        33 chrome.exe 17->33         started        35 chrome.exe 17->35         started        signatures6 process7 dnsIp8 101 Antivirus detection for dropped file 19->101 103 Multi AV Scanner detection for dropped file 19->103 105 Machine Learning detection for dropped file 19->105 107 2 other signatures 19->107 37 regedit.exe 19->37         started        40 net.exe 19->40         started        42 net.exe 19->42         started        51 10 other processes 19->51 87 192.168.2.4 unknown unknown 30->87 89 192.168.2.5, 443, 49269, 49378 unknown unknown 30->89 91 239.255.255.250 unknown Reserved 30->91 44 chrome.exe 30->44         started        47 chrome.exe 33->47         started        49 chrome.exe 35->49         started        signatures9 process10 dnsIp11 109 Changes autostart functionality of drives 37->109 53 conhost.exe 40->53         started        55 net1.exe 40->55         started        57 conhost.exe 42->57         started        59 net1.exe 42->59         started        81 www.onefordvd.com 15.197.204.56, 443, 49707, 49708 TANDEMUS United States 44->81 83 142.250.184.193, 443, 53794, 53795 GOOGLEUS United States 44->83 85 16 other IPs or domains 44->85 61 conhost.exe 51->61         started        63 conhost.exe 51->63         started        65 conhost.exe 51->65         started        67 10 other processes 51->67 signatures12 process13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.250.186.68
 www.google.com United States
15169 GOOGLEUS false
216.58.206.38
 ad.doubleclick.net United States
15169 GOOGLEUS false
54.174.215.77
 gddomainparking.com United States
14618 AMAZON-AESUS false
104.26.2.70
 unknown United States
13335 CLOUDFLARENETUS false
142.250.186.161
 googlehosted.l.googleusercontent.com United States
15169 GOOGLEUS false
172.217.16.206
 syndicatedsearch.goog United States
15169 GOOGLEUS false
142.250.184.193
 unknown United States
15169 GOOGLEUS false
172.67.69.19
 ad-delivery.net United States
13335 CLOUDFLARENETUS false
15.197.204.56
 www.onefordvd.com United States
7430 TANDEMUS false
172.67.41.60
 btloader.com United States
13335 CLOUDFLARENETUS false
216.58.206.68
 unknown United States
15169 GOOGLEUS false
239.255.255.250
 unknown Reserved
unknown unknown false
142.250.186.166
 unknown United States
15169 GOOGLEUS false
142.250.184.238
 unknown United States
15169 GOOGLEUS false

Private

IP
192.168.2.4
192.168.2.5

Contacted Domains

Name IP Active
gddomainparking.com 54.174.215.77 true
google.com 142.250.186.110 true
syndicatedsearch.goog 172.217.16.206 true
ad.doubleclick.net 216.58.206.38 true
www.google.com 142.250.186.68 true
btloader.com 172.67.41.60 true
googlehosted.l.googleusercontent.com 142.250.186.161 true
www.onefordvd.com 15.197.204.56 true
ad-delivery.net 172.67.69.19 true
img1.wsimg.com unknown unknown
1861119.com unknown unknown
afs.googleusercontent.com unknown unknown
www.dvdforone.com unknown unknown
api.aws.parking.godaddy.com unknown unknown
msg.tmhacker.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://ad-delivery.net/px.gif?ch=2 false
  • URL Reputation: safe
 unknown
https://api.aws.parking.godaddy.com/v1/parkingEvents?abp=1&gdabp=true false
  • Avira URL Cloud: safe
 unknown
https://syndicatedsearch.goog/afs/gen_204?client=dp-namemedia06_3ph&output=uds_ads_only&zx=lhb5r7xl5det&aqid=1Y_QZrGTL9KnjuwPiPe1wA0&psid=7621175430&pbt=bv&adbx=267&adby=173.6875&adbh=464&adbw=500&adbah=148%2C148%2C148&adbn=master-1&eawp=partner-dp-namemedia06_3ph&errv=667606770&csala=4%7C0%7C1541%7C1243%7C284&lle=0&ifv=1&hpt=0 false
  • Avira URL Cloud: safe
 unknown
https://www.onefordvd.com/lander false
    		unknown
    https://ad-delivery.net/px.gif?ch=1&e=0.7379176731179411 false
    • Avira URL Cloud: safe
    		 unknown
    https://ad.doubleclick.net/favicon.ico?ad=300x250&ad_box_=1&adnet=1&showad=1&size=250x250 false
    • Avira URL Cloud: safe
    		 unknown
    https://www.google.com/js/bg/qfimbA0GYhgyETKN2gHT05d-Hpg6wiB8plDJ1aMSf3s.js false
    • Avira URL Cloud: safe
    		 unknown
    https://syndicatedsearch.goog/adsense/domains/caf.js?pac=0 false
    • Avira URL Cloud: safe
    		 unknown
    https://syndicatedsearch.goog/afs/gen_204?client=dp-namemedia06_3ph&output=uds_ads_only&zx=2gf50ip8fgbm&aqid=1o_QZoOUFf6kjuwPko2JoA0&psid=7621175430&pbt=bv&adbx=267&adby=173.6875&adbh=464&adbw=500&adbah=148%2C148%2C148&adbn=master-1&eawp=partner-dp-namemedia06_3ph&errv=667606770&csala=11%7C0%7C1627%7C1343%7C1527&lle=0&ifv=1&hpt=0 false
    • Avira URL Cloud: safe
    		 unknown
    https://afs.googleusercontent.com/ad_icons/standard/publisher_icon_image/chevron.svg?c=%230f1c21 false
    • Avira URL Cloud: safe
    		 unknown
    https://syndicatedsearch.goog/afs/gen_204?client=dp-namemedia06_3ph&output=uds_ads_only&zx=g3yhpaijmirq&aqid=1o_QZoOUFf6kjuwPko2JoA0&psid=7621175430&pbt=bs&adbx=267&adby=173.6875&adbh=464&adbw=500&adbah=148%2C148%2C148&adbn=master-1&eawp=partner-dp-namemedia06_3ph&errv=667606770&csala=11%7C0%7C1627%7C1343%7C1527&lle=0&ifv=1&hpt=0 false
    • Avira URL Cloud: safe
    		 unknown
    https://www.google.com/adsense/domains/caf.js?abp=1&gdabp=true false
    • Avira URL Cloud: safe
    		 unknown
    https://ad-delivery.net/px.gif?ch=1&e=0.7550573385120041 false
    • Avira URL Cloud: safe
    		 unknown
    https://afs.googleusercontent.com/ad_icons/standard/publisher_icon_image/search.svg?c=%230f1c21 false
    • Avira URL Cloud: safe
    		 unknown
    https://btloader.com/tag?o=5097926782615552&upapi=true false
    • Avira URL Cloud: safe
    		 unknown
    http://www.onefordvd.com/lander false
    • Avira URL Cloud: safe
    		 unknown
    https://syndicatedsearch.goog/afs/gen_204?client=dp-namemedia06_3ph&output=uds_ads_only&zx=11hs6q014uq&aqid=1Y_QZrGTL9KnjuwPiPe1wA0&psid=7621175430&pbt=bs&adbx=267&adby=173.6875&adbh=464&adbw=500&adbah=148%2C148%2C148&adbn=master-1&eawp=partner-dp-namemedia06_3ph&errv=667606770&csala=4%7C0%7C1541%7C1243%7C284&lle=0&ifv=1&hpt=0 false
    • Avira URL Cloud: safe
    		 unknown