Windows Analysis Report
tyRPPK48Mk.exe

Overview

General Information

Sample name: tyRPPK48Mk.exe
renamed because original name is a hash value
Original sample name: 35a056cc53702fd3c3d9f0624eadae17b0e00ac7f18ffd50b6a708cc27183441.exe
Analysis ID: 1529033
MD5: 94a2b51672c9fb20b8bc7ebfcbf648c0
SHA1: b6bf724c582f4467fb4d87108744cafbdbd1169b
SHA256: 35a056cc53702fd3c3d9f0624eadae17b0e00ac7f18ffd50b6a708cc27183441
Tags: exeExpirouser-adrian__luca
Infos:

Detection

Remcos
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Detected Remcos RAT
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Remcos
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Contains functionality to behave differently if execute on a Russian/Kazak computer
Creates files in the system32 config directory
Creates files inside the volume driver (system volume information)
Drops VBS files to the startup folder
Drops executable to a common third party application directory
Found direct / indirect Syscall (likely to bypass EDR)
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries random domain names (often used to prevent blacklisting and sinkholes)
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Abnormal high CPU Usage
Binary contains a suspicious time stamp
Connects to many different domains
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Enables driver privileges
Enables security privileges
Executes massive DNS lookups (> 100)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Queries time zone information
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Spawns drivers
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Avira: detection malicious, Label: W32/Infector.Gen
Multi AV Scanner detection for submitted file
Source: tyRPPK48Mk.exe ReversingLabs: Detection: 73%
Yara detected Remcos RAT
Source: Yara match File source: 1.2.name.exe.3c50000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.name.exe.3d80000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.name.exe.3d80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.name.exe.39b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.name.exe.3d80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.name.exe.3d80000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.name.exe.3c50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.name.exe.39b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.1824115002.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1806914004.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.1962839216.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.1958069943.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1848783066.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.1959006729.0000000000822000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: name.exe PID: 4420, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: name.exe PID: 2084, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: name.exe PID: 6908, type: MEMORYSTR
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.8% probability
Machine Learning detection for dropped file
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: tyRPPK48Mk.exe Joe Sandbox ML: detected
Source: name.exe, 00000001.00000002.1806914004.0000000003C50000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_fb5aa34f-1

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 1.2.name.exe.3c50000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.name.exe.3d80000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.name.exe.3d80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.name.exe.39b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.name.exe.3d80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.name.exe.3d80000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.name.exe.3c50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.name.exe.39b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.1824115002.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1806914004.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.1962839216.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.1958069943.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1848783066.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: name.exe PID: 4420, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: name.exe PID: 2084, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: name.exe PID: 6908, type: MEMORYSTR
Uses 32bit PE files
Source: tyRPPK48Mk.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: svchost.exe, 00000006.00000003.2475292212.0000000004C30000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: svchost.exe, 00000006.00000003.2571026895.0000000004B80000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2552676258.0000000004CA0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2555692425.0000000004CB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: msiexec.pdb source: svchost.exe, 00000006.00000003.1940200063.0000000005760000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: svchost.exe, 00000006.00000003.1848418445.0000000005560000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: svchost.exe, 00000006.00000003.2166044684.0000000004C90000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ssh-agent.pdb source: svchost.exe, 00000006.00000003.2024944125.0000000005760000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: svchost.exe, 00000006.00000003.2309255812.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: svchost.exe, 00000006.00000003.2113410162.0000000003083000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: svchost.exe, 00000006.00000003.2309255812.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: msiexec.pdbGCTL source: svchost.exe, 00000006.00000003.1940200063.0000000005760000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ADelRCP_Exec.pdb source: svchost.exe, 00000006.00000003.2329602484.0000000004B90000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: mavinject32.pdbGCTL source: svchost.exe, 00000006.00000003.2631630815.00000000054F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2637810667.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: PresentationFontCache.pdb source: svchost.exe, 00000006.00000003.1892510705.0000000005750000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3178209395.0000000001470000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: PerceptionSimulationService.pdb source: svchost.exe, 00000006.00000003.1951393165.0000000005760000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: name.exe, 00000001.00000003.1802681812.0000000005030000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000001.00000003.1802504246.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000003.00000003.1821978946.00000000040B0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000003.00000003.1818359606.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000005.00000003.1837727518.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000005.00000003.1840416756.0000000005860000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: svchost.exe, 00000006.00000003.2278103872.0000000004B90000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: MsSense.pdbGCTL source: svchost.exe, 00000006.00000003.1990664261.0000000005760000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: MsSense.pdb source: svchost.exe, 00000006.00000003.1990664261.0000000005760000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: svchost.exe, 00000006.00000003.2608906582.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: svchost.exe, 00000006.00000003.2482581363.0000000004C20000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2496506784.0000000004B80000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: WmiApSrv.pdbGCTL source: svchost.exe, 00000006.00000003.2075539957.0000000005760000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: svchost.exe, 00000006.00000003.2362639087.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Acrobat_SL.pdb((( source: svchost.exe, 00000006.00000003.2178027420.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: locator.pdb source: svchost.exe, 00000006.00000003.1987958380.00000000054F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1978746407.0000000005760000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: svchost.exe, 00000006.00000003.1876194254.00000000056D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ADelRCP_Exec.pdbCC9 source: svchost.exe, 00000006.00000003.2329602484.0000000004B90000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdb source: svchost.exe, 00000006.00000003.2193636183.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Acrobat_SL.pdb source: svchost.exe, 00000006.00000003.2178027420.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: svchost.exe, 00000006.00000003.2571026895.0000000004B80000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2552676258.0000000004CA0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2555692425.0000000004CB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: svchost.exe, 00000006.00000003.2278103872.0000000004B90000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: svchost.exe, 00000006.00000003.2385840703.0000000004CB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: svchost.exe, 00000006.00000003.2166044684.0000000004C90000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: mavinject32.pdb source: svchost.exe, 00000006.00000003.2631630815.00000000054F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2637810667.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: maintenanceservice.pdb source: svchost.exe, 00000006.00000003.1919148439.0000000005760000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: PerceptionSimulationService.pdbGCTL source: svchost.exe, 00000006.00000003.1951393165.0000000005760000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: msdtcexe.pdbGCTL source: svchost.exe, 00000006.00000003.1931405560.0000000005760000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 64BitMAPIBroker.pdb source: svchost.exe, 00000006.00000003.2453584126.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: snmptrap.pdbGCTL source: svchost.exe, 00000006.00000003.2004063369.0000000005760000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: PerfHost.pdbGCTL source: svchost.exe, 00000006.00000003.1964254852.0000000005720000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1975873172.00000000054F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1966295550.0000000005760000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: svchost.exe, 00000006.00000003.2608906582.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: svchost.exe, 00000006.00000003.2432675812.0000000004C30000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: svchost.exe, 00000006.00000003.2362639087.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: svchost.exe, 00000006.00000003.2475292212.0000000004C30000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: PerfHost.pdb source: svchost.exe, 00000006.00000003.1964254852.0000000005720000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1975873172.00000000054F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1966295550.0000000005760000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: svchost.exe, 00000006.00000003.2385840703.0000000004CB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: svchost.exe, 00000006.00000003.2438532554.0000000004CB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: maintenanceservice.pdb` source: svchost.exe, 00000006.00000003.1919148439.0000000005760000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: svchost.exe, 00000006.00000003.2482581363.0000000004C20000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2496506784.0000000004B80000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: name.exe, 00000001.00000003.1802681812.0000000005030000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000001.00000003.1802504246.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000003.00000003.1821978946.00000000040B0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000003.00000003.1818359606.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000005.00000003.1837727518.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000005.00000003.1840416756.0000000005860000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: TieringEngineService.pdb source: svchost.exe, 00000006.00000003.2032642838.0000000005760000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: TieringEngineService.pdbGCTL source: svchost.exe, 00000006.00000003.2032642838.0000000005760000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: WmiApSrv.pdb source: svchost.exe, 00000006.00000003.2075539957.0000000005760000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: svchost.exe, 00000006.00000003.2393262607.0000000004CB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdbce_T151c2VyQ29udGV4dElkPTUsYSw=p source: svchost.exe, 00000006.00000003.2113410162.0000000003083000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ALG.pdb source: svchost.exe, 00000006.00000003.1854023776.0000000005890000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: msdtcexe.pdb source: svchost.exe, 00000006.00000003.1931405560.0000000005760000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: svchost.exe, 00000006.00000003.1876194254.00000000056D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ALG.pdbGCTL source: svchost.exe, 00000006.00000003.1854023776.0000000005890000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: svchost.exe, 00000006.00000003.1892510705.0000000005750000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3178209395.0000000001470000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: locator.pdbGCTL source: svchost.exe, 00000006.00000003.1987958380.00000000054F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1978746407.0000000005760000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: svchost.exe, 00000006.00000003.2193636183.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ssh-agent.pdbX source: svchost.exe, 00000006.00000003.2024944125.0000000005760000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: AppVShNotify.pdb source: svchost.exe, 00000006.00000003.2602531162.0000000004B90000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: snmptrap.pdb source: svchost.exe, 00000006.00000003.2004063369.0000000005760000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: svchost.exe, 00000006.00000003.2438532554.0000000004CB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: svchost.exe, 00000006.00000003.2393262607.0000000004CB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: AppVShNotify.pdbGCTL source: svchost.exe, 00000006.00000003.2602531162.0000000004B90000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBIEnloh source: svchost.exe, 00000006.00000003.2113410162.0000000003083000.00000004.00000020.00020000.00000000.sdmp

Spreading
barindex
Infects executable files (exe, dll, sys, html)
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Windows\System32\wbem\WmiApSrv.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Windows\System32\vds.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Windows\System32\alg.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\7-Zip\7zFM.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Windows\System32\snmptrap.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Windows\System32\Spectrum.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Windows Media Player\wmpnetwk.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Windows\System32\Locator.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\7-Zip\7z.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Windows\System32\AppVClient.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Windows\SysWOW64\perfhost.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\7-Zip\7zG.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Windows\System32\msiexec.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Windows\System32\VSSVC.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Windows\System32\wbengine.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Windows\System32\SearchIndexer.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Windows\System32\TieringEngineService.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Windows\System32\AgentService.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\7-Zip\Uninstall.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Windows\System32\FXSSVC.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Windows\System32\OpenSSH\ssh-agent.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe System file written: C:\Windows\System32\sppsvc.exe
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Windows\System32\SensorDataService.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Windows\System32\msdtc.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_00452492
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00442886
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_004788BD
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose, 0_2_004339B6
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose, 0_2_0045CAFA
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00431A86
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 0_2_0044BD27
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_0045DE8F FindFirstFileW,FindClose, 0_2_0045DE8F
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_0044BF8B
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose, 1_2_00452492
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 1_2_00442886
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 1_2_004788BD
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose, 1_2_004339B6
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose, 1_2_0045CAFA
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 1_2_00431A86
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 1_2_0044BD27
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_0045DE8F FindFirstFileW,FindClose, 1_2_0045DE8F
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, 1_2_0044BF8B
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose, 3_2_00452492
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 3_2_00442886
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 3_2_004788BD
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose, 3_2_004339B6
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose, 3_2_0045CAFA
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 3_2_00431A86
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 3_2_0044BD27
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_0045DE8F FindFirstFileW,FindClose, 3_2_0045DE8F
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, 3_2_0044BF8B
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Documents and Settings\user\AppData\Local\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\Cache\ Jump to behavior

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.4:63580 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49733 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.4:50853 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49774 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49769 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49738 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49766 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.4:49739 -> 172.234.222.143:80
Source: Network traffic Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.244.188.177:80 -> 192.168.2.4:49735
Source: Network traffic Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.244.188.177:80 -> 192.168.2.4:49735
Source: Network traffic Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.141.10.107:80 -> 192.168.2.4:49736
Source: Network traffic Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.141.10.107:80 -> 192.168.2.4:49736
Source: Network traffic Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 44.221.84.105:80 -> 192.168.2.4:49745
Source: Network traffic Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 44.221.84.105:80 -> 192.168.2.4:49745
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49804 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49761 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49744 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 47.129.31.212:80 -> 192.168.2.4:49790
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49730 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49752 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49762 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 47.129.31.212:80 -> 192.168.2.4:49790
Source: Network traffic Suricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.4:57533 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.208.156.248:80 -> 192.168.2.4:49835
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49771 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49783 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.208.156.248:80 -> 192.168.2.4:49835
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49845 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49772 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 13.251.16.150:80 -> 192.168.2.4:49789
Source: Network traffic Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 13.251.16.150:80 -> 192.168.2.4:49789
Source: Network traffic Suricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.4:49249 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 34.246.200.160:80 -> 192.168.2.4:49828
Source: Network traffic Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 34.246.200.160:80 -> 192.168.2.4:49828
Source: Network traffic Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 3.94.10.34:80 -> 192.168.2.4:49883
Source: Network traffic Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 3.94.10.34:80 -> 192.168.2.4:49883
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49823 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49912 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49933 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 35.164.78.200:80 -> 192.168.2.4:49872
Source: Network traffic Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 35.164.78.200:80 -> 192.168.2.4:49872
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49758 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49871 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49956 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 44.213.104.86:80 -> 192.168.2.4:49966
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49891 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49764 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 44.213.104.86:80 -> 192.168.2.4:49966
Source: Network traffic Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.4:49998 -> 18.208.156.248:80
Source: Network traffic Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 34.211.97.45:80 -> 192.168.2.4:49963
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49978 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 34.211.97.45:80 -> 192.168.2.4:49963
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49997 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49765 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50037 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49767 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50059 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50016 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50077 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 3.254.94.185:80 -> 192.168.2.4:50123
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50136 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2051651 - Severity 1 - ET MALWARE DNS Query to Expiro Domain (eufxebus .biz) : 192.168.2.4:60155 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 3.254.94.185:80 -> 192.168.2.4:50123
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50096 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50157 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50168 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50175 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50181 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50192 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50198 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50201 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50148 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50209 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50187 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2051654 - Severity 1 - ET MALWARE DNS Query to Expiro Domain (cikivjto .biz) : 192.168.2.4:53939 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50218 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.4:50235 -> 18.208.156.248:80
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50143 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2051653 - Severity 1 - ET MALWARE DNS Query to Expiro Domain (htwqzczce .biz) : 192.168.2.4:59049 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50239 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2051650 - Severity 1 - ET MALWARE DNS Query to Expiro Domain (kcyvxytog .biz) : 192.168.2.4:49265 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2051651 - Severity 1 - ET MALWARE DNS Query to Expiro Domain (eufxebus .biz) : 192.168.2.4:55684 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50153 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50162 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50297 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2051652 - Severity 1 - ET MALWARE DNS Query to Expiro Domain (napws .biz) : 192.168.2.4:62580 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50261 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50226 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.4:56539 -> 82.112.184.197:80
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50277 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50285 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:56569 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50205 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50327 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50280 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.4:56068 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50331 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:56521 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:56534 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:56554 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:56548 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50215 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50233 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:56608 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:56590 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:56602 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:56551 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:56593 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50340 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:56544 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:56553 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50244 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:56550 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:56524 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:56565 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:56529 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:56540 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:56604 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:56559 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:56567 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:56606 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50115 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50288 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:56607 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2051654 - Severity 1 - ET MALWARE DNS Query to Expiro Domain (cikivjto .biz) : 192.168.2.4:59374 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50319 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50273 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:56584 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50324 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50337 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:56603 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:56526 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.4:61194 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.4:53761 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:56541 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50291 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:56549 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:56598 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2051650 - Severity 1 - ET MALWARE DNS Query to Expiro Domain (kcyvxytog .biz) : 192.168.2.4:53060 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50221 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2051653 - Severity 1 - ET MALWARE DNS Query to Expiro Domain (htwqzczce .biz) : 192.168.2.4:58104 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50303 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2051652 - Severity 1 - ET MALWARE DNS Query to Expiro Domain (napws .biz) : 192.168.2.4:49262 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:56557 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:56562 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:56543 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50313 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:56555 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:56558 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50334 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50249 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.4:58529 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50344 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50267 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:56536 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:56538 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:56556 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:56596 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:56577 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:56560 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:56547 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:56573 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:56580 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:56587 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50255 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:56516 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:56545 -> 204.10.160.212:6622
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:50310 -> 204.10.160.212:6622
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 3.254.94.185 80 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 204.10.160.212 6622 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 3.94.10.34 80 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 34.246.200.160 80 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 172.234.222.143 80 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 18.208.156.248 80 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 34.211.97.45 80 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 208.100.26.245 80 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 35.164.78.200 80 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 165.160.13.20 80 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 44.213.104.86 80 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 44.221.84.105 80 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 85.214.228.140 80 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 54.244.188.177 80 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 13.251.16.150 80 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 47.129.31.212 80 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 82.112.184.197 80 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 18.141.10.107 80 Jump to behavior
Queries random domain names (often used to prevent blacklisting and sinkholes)
Source: unknown DNS traffic detected: English language letter frequency does not match the domain names
Connects to many different domains
Source: unknown Network traffic detected: DNS query count 128
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 204.10.160.212:6622
Executes massive DNS lookups (> 100)
Source: global traffic DNS traffic detected: number of DNS queries: 128
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /bvjounbjkagqnta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /rsmfnaxurgxpde HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /dqlfliuucamv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /dqlfliuucamv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778Data Raw: 65 f9 60 f6 44 d4 ab c5 fe 02 00 00 82 71 fd d8 e6 a2 86 96 38 67 10 f6 87 69 a9 0c a1 cc 6c d2 c3 59 c3 3f 86 bf 47 3f 9e 4e 52 2b 9d a3 dc c6 94 31 11 66 da 57 d3 e4 42 97 49 62 8a e6 51 d7 3f c0 de ed c2 c5 65 9b 8f a1 0a e6 29 ed b1 9f f5 39 92 a3 10 ff bf 0a 1f 72 21 0d dc 83 57 8e ba c6 ad d3 ef f4 44 07 cf 0c 40 ab e8 15 2f d1 a4 b3 43 4f 4a 51 21 8c 68 e2 27 d4 5f d1 5c 1e fa 51 d5 c3 67 c9 3d d1 14 03 e5 2d 1b 16 77 e3 ab 77 1e 7e ce 50 5d 85 0f 13 a7 b6 e9 df cc d8 9e 04 2c 56 57 bd f3 24 15 d9 89 40 ca 6a a6 c9 07 e8 9b 7b 59 e6 18 4e 3b 3b 82 f7 eb 9b f3 55 3a 9b af d6 8b 9c 32 c7 17 c5 d6 8c 67 07 7f 6a cc 72 2e d8 b7 99 61 a2 0c 87 ef 35 8d 21 b3 4d 5e 7e a3 81 d4 7b 4d cc 05 8a 45 9e c9 80 4d 17 d9 a6 59 11 4d 07 1e 21 10 d5 1d dc cd 0a a2 14 f0 5f fa ea 75 d4 1e 79 1a 18 87 4e 1e 33 18 f2 e1 30 8c e2 bb e8 9b d6 20 0e 5f 94 b9 10 e8 f4 bb 15 04 00 b8 5f 51 1a c9 64 ef 9c 0c a2 95 9b 7e 54 fa 7e 9f 4b ff 19 0e cd 8a ed fb 99 e7 c5 ee 57 b5 c7 2c c0 97 2e 97 3c 83 99 31 72 ba 65 96 36 87 b4 57 29 b3 0d ab da ca bf 0a c1 46 19 f6 9c 00 a6 2d 09 75 65 7b 43 0d ea 7e 8d 68 dc 85 7b 40 17 9f 33 91 02 78 8f 56 cd 10 7e dc 14 a1 0a e5 1c 78 c7 cb cf 32 a5 53 63 2e fa ac 4c 7b f2 f9 fd fa 23 53 72 37 8b bf 64 a7 ef a1 9b f2 8d 68 99 1a b7 e7 24 26 a1 06 0b 35 29 d3 ad 62 b5 3c 8b 99 d3 be c6 6e bb 67 0c 40 c5 50 ed dd 9b e8 80 27 83 f9 9b 93 90 8a 71 89 f3 ef bc 20 54 d7 3d c9 51 21 dd 5d c8 b2 e3 8a bb 07 63 a0 16 48 9e 35 54 46 fa 0c c5 9e ef 68 76 8b d9 f4 55 84 7f dc 4f 5a a9 91 10 d8 e4 dd 06 49 d8 4d 20 8c 27 39 b5 03 49 a7 d1 61 a4 af 4f d0 11 d4 6b f3 c3 00 57 db c1 8b 26 1f bb 5c 75 a6 37 c0 16 e8 88 c5 20 7c 2b c4 3f f5 cc 0c b4 2b ea fb c9 d9 23 59 7c a6 bb 32 05 c7 06 9c 2c c3 f5 ba 75 41 75 6f 93 9c 0a 23 5a 19 3c 06 ea 93 36 02 78 af 75 f8 6b ba 34 4b e8 4d 25 07 18 bc fc 37 b9 8e 13 98 e1 91 d1 0c 36 39 1f f2 9b f2 99 e4 9e 08 d1 d4 9d 5d 40 ec 34 0d 82 dd b1 00 cf 83 fb 44 3a cc 2f 7e ec 73 c8 2c db 54 ae e1 b2 36 40 84 bc b2 bf 4e be c1 99 82 54 a7 98 b9 63 87 32 90 9a a6 ae c1 6c 06 e5 a4 3c 3a d3 83 07 02 40 6a 20 75 23 9c 38 98 50 82 90 ca 43 af 54 c7 49 a7 ef 1a f8 d9 fa dd 75 50 c7 bd 7d 9c 4f f8 9b b1 72 20 38 45 19 8d a4 31 bd 0e ac a4 7e bf 84 5f 33 34 84 90 f5 9e b9 8d 12 b0 d3 93 f9 9b 14 e0 fb 92 d0 d0 ff 40 e8 03 45 e8 34 f1 d0 24 11 b8 34 5c 0b 47 7d 66 10 Data Ascii: e`Dq8gilY?G?NR+1fWBIbQ?e)9r!WD@/COJQ!h'_\Qg=-ww~P],VW$@j{YN;;U:2gjr.a5!M^~{MEMYM!_uyN30 _
Source: global traffic HTTP traffic detected: POST /dqlfliuucamv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778Data Raw: 65 f9 60 f6 44 d4 ab c5 fe 02 00 00 82 71 fd d8 e6 a2 86 96 38 67 10 f6 87 69 a9 0c a1 cc 6c d2 c3 59 c3 3f 86 bf 47 3f 9e 4e 52 2b 9d a3 dc c6 94 31 11 66 da 57 d3 e4 42 97 49 62 8a e6 51 d7 3f c0 de ed c2 c5 65 9b 8f a1 0a e6 29 ed b1 9f f5 39 92 a3 10 ff bf 0a 1f 72 21 0d dc 83 57 8e ba c6 ad d3 ef f4 44 07 cf 0c 40 ab e8 15 2f d1 a4 b3 43 4f 4a 51 21 8c 68 e2 27 d4 5f d1 5c 1e fa 51 d5 c3 67 c9 3d d1 14 03 e5 2d 1b 16 77 e3 ab 77 1e 7e ce 50 5d 85 0f 13 a7 b6 e9 df cc d8 9e 04 2c 56 57 bd f3 24 15 d9 89 40 ca 6a a6 c9 07 e8 9b 7b 59 e6 18 4e 3b 3b 82 f7 eb 9b f3 55 3a 9b af d6 8b 9c 32 c7 17 c5 d6 8c 67 07 7f 6a cc 72 2e d8 b7 99 61 a2 0c 87 ef 35 8d 21 b3 4d 5e 7e a3 81 d4 7b 4d cc 05 8a 45 9e c9 80 4d 17 d9 a6 59 11 4d 07 1e 21 10 d5 1d dc cd 0a a2 14 f0 5f fa ea 75 d4 1e 79 1a 18 87 4e 1e 33 18 f2 e1 30 8c e2 bb e8 9b d6 20 0e 5f 94 b9 10 e8 f4 bb 15 04 00 b8 5f 51 1a c9 64 ef 9c 0c a2 95 9b 7e 54 fa 7e 9f 4b ff 19 0e cd 8a ed fb 99 e7 c5 ee 57 b5 c7 2c c0 97 2e 97 3c 83 99 31 72 ba 65 96 36 87 b4 57 29 b3 0d ab da ca bf 0a c1 46 19 f6 9c 00 a6 2d 09 75 65 7b 43 0d ea 7e 8d 68 dc 85 7b 40 17 9f 33 91 02 78 8f 56 cd 10 7e dc 14 a1 0a e5 1c 78 c7 cb cf 32 a5 53 63 2e fa ac 4c 7b f2 f9 fd fa 23 53 72 37 8b bf 64 a7 ef a1 9b f2 8d 68 99 1a b7 e7 24 26 a1 06 0b 35 29 d3 ad 62 b5 3c 8b 99 d3 be c6 6e bb 67 0c 40 c5 50 ed dd 9b e8 80 27 83 f9 9b 93 90 8a 71 89 f3 ef bc 20 54 d7 3d c9 51 21 dd 5d c8 b2 e3 8a bb 07 63 a0 16 48 9e 35 54 46 fa 0c c5 9e ef 68 76 8b d9 f4 55 84 7f dc 4f 5a a9 91 10 d8 e4 dd 06 49 d8 4d 20 8c 27 39 b5 03 49 a7 d1 61 a4 af 4f d0 11 d4 6b f3 c3 00 57 db c1 8b 26 1f bb 5c 75 a6 37 c0 16 e8 88 c5 20 7c 2b c4 3f f5 cc 0c b4 2b ea fb c9 d9 23 59 7c a6 bb 32 05 c7 06 9c 2c c3 f5 ba 75 41 75 6f 93 9c 0a 23 5a 19 3c 06 ea 93 36 02 78 af 75 f8 6b ba 34 4b e8 4d 25 07 18 bc fc 37 b9 8e 13 98 e1 91 d1 0c 36 39 1f f2 9b f2 99 e4 9e 08 d1 d4 9d 5d 40 ec 34 0d 82 dd b1 00 cf 83 fb 44 3a cc 2f 7e ec 73 c8 2c db 54 ae e1 b2 36 40 84 bc b2 bf 4e be c1 99 82 54 a7 98 b9 63 87 32 90 9a a6 ae c1 6c 06 e5 a4 3c 3a d3 83 07 02 40 6a 20 75 23 9c 38 98 50 82 90 ca 43 af 54 c7 49 a7 ef 1a f8 d9 fa dd 75 50 c7 bd 7d 9c 4f f8 9b b1 72 20 38 45 19 8d a4 31 bd 0e ac a4 7e bf 84 5f 33 34 84 90 f5 9e b9 8d 12 b0 d3 93 f9 9b 14 e0 fb 92 d0 d0 ff 40 e8 03 45 e8 34 f1 d0 24 11 b8 34 5c 0b 47 7d 66 10 Data Ascii: e`Dq8gilY?G?NR+1fWBIbQ?e)9r!WD@/COJQ!h'_\Qg=-ww~P],VW$@j{YN;;U:2gjr.a5!M^~{MEMYM!_uyN30 _
Source: global traffic HTTP traffic detected: POST /dqlfliuucamv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778Data Raw: 65 f9 60 f6 44 d4 ab c5 fe 02 00 00 82 71 fd d8 e6 a2 86 96 38 67 10 f6 87 69 a9 0c a1 cc 6c d2 c3 59 c3 3f 86 bf 47 3f 9e 4e 52 2b 9d a3 dc c6 94 31 11 66 da 57 d3 e4 42 97 49 62 8a e6 51 d7 3f c0 de ed c2 c5 65 9b 8f a1 0a e6 29 ed b1 9f f5 39 92 a3 10 ff bf 0a 1f 72 21 0d dc 83 57 8e ba c6 ad d3 ef f4 44 07 cf 0c 40 ab e8 15 2f d1 a4 b3 43 4f 4a 51 21 8c 68 e2 27 d4 5f d1 5c 1e fa 51 d5 c3 67 c9 3d d1 14 03 e5 2d 1b 16 77 e3 ab 77 1e 7e ce 50 5d 85 0f 13 a7 b6 e9 df cc d8 9e 04 2c 56 57 bd f3 24 15 d9 89 40 ca 6a a6 c9 07 e8 9b 7b 59 e6 18 4e 3b 3b 82 f7 eb 9b f3 55 3a 9b af d6 8b 9c 32 c7 17 c5 d6 8c 67 07 7f 6a cc 72 2e d8 b7 99 61 a2 0c 87 ef 35 8d 21 b3 4d 5e 7e a3 81 d4 7b 4d cc 05 8a 45 9e c9 80 4d 17 d9 a6 59 11 4d 07 1e 21 10 d5 1d dc cd 0a a2 14 f0 5f fa ea 75 d4 1e 79 1a 18 87 4e 1e 33 18 f2 e1 30 8c e2 bb e8 9b d6 20 0e 5f 94 b9 10 e8 f4 bb 15 04 00 b8 5f 51 1a c9 64 ef 9c 0c a2 95 9b 7e 54 fa 7e 9f 4b ff 19 0e cd 8a ed fb 99 e7 c5 ee 57 b5 c7 2c c0 97 2e 97 3c 83 99 31 72 ba 65 96 36 87 b4 57 29 b3 0d ab da ca bf 0a c1 46 19 f6 9c 00 a6 2d 09 75 65 7b 43 0d ea 7e 8d 68 dc 85 7b 40 17 9f 33 91 02 78 8f 56 cd 10 7e dc 14 a1 0a e5 1c 78 c7 cb cf 32 a5 53 63 2e fa ac 4c 7b f2 f9 fd fa 23 53 72 37 8b bf 64 a7 ef a1 9b f2 8d 68 99 1a b7 e7 24 26 a1 06 0b 35 29 d3 ad 62 b5 3c 8b 99 d3 be c6 6e bb 67 0c 40 c5 50 ed dd 9b e8 80 27 83 f9 9b 93 90 8a 71 89 f3 ef bc 20 54 d7 3d c9 51 21 dd 5d c8 b2 e3 8a bb 07 63 a0 16 48 9e 35 54 46 fa 0c c5 9e ef 68 76 8b d9 f4 55 84 7f dc 4f 5a a9 91 10 d8 e4 dd 06 49 d8 4d 20 8c 27 39 b5 03 49 a7 d1 61 a4 af 4f d0 11 d4 6b f3 c3 00 57 db c1 8b 26 1f bb 5c 75 a6 37 c0 16 e8 88 c5 20 7c 2b c4 3f f5 cc 0c b4 2b ea fb c9 d9 23 59 7c a6 bb 32 05 c7 06 9c 2c c3 f5 ba 75 41 75 6f 93 9c 0a 23 5a 19 3c 06 ea 93 36 02 78 af 75 f8 6b ba 34 4b e8 4d 25 07 18 bc fc 37 b9 8e 13 98 e1 91 d1 0c 36 39 1f f2 9b f2 99 e4 9e 08 d1 d4 9d 5d 40 ec 34 0d 82 dd b1 00 cf 83 fb 44 3a cc 2f 7e ec 73 c8 2c db 54 ae e1 b2 36 40 84 bc b2 bf 4e be c1 99 82 54 a7 98 b9 63 87 32 90 9a a6 ae c1 6c 06 e5 a4 3c 3a d3 83 07 02 40 6a 20 75 23 9c 38 98 50 82 90 ca 43 af 54 c7 49 a7 ef 1a f8 d9 fa dd 75 50 c7 bd 7d 9c 4f f8 9b b1 72 20 38 45 19 8d a4 31 bd 0e ac a4 7e bf 84 5f 33 34 84 90 f5 9e b9 8d 12 b0 d3 93 f9 9b 14 e0 fb 92 d0 d0 ff 40 e8 03 45 e8 34 f1 d0 24 11 b8 34 5c 0b 47 7d 66 10 Data Ascii: e`Dq8gilY?G?NR+1fWBIbQ?e)9r!WD@/COJQ!h'_\Qg=-ww~P],VW$@j{YN;;U:2gjr.a5!M^~{MEMYM!_uyN30 _
Source: global traffic HTTP traffic detected: POST /tacyehq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /aky HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /bh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /xitm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /hbj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /gvnfcd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /elpwpt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /yywraaixbnedu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /dgeuecv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /dgeuecv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778Data Raw: e7 ff 51 3f b9 ad 1c 9e fe 02 00 00 55 72 05 0e 07 99 e0 9c 84 8f c6 d0 84 39 cd dd 0b 8d b2 1d 51 a2 a8 59 1f e7 66 93 ba 6e b2 3c bb f7 c1 b8 48 b9 0c b8 76 2b 43 91 d6 46 c6 d3 d1 81 95 e2 0d b3 91 c2 bb 98 3a 18 f3 2f 95 0d d0 17 55 aa 5e c2 70 84 e4 5d 61 57 bc d5 5a ae 6b 55 a9 4f c8 50 fb dc a8 cb 6d 88 12 74 e9 c2 a1 cb d0 3e 63 8a 19 0a e1 82 93 27 3c da 58 1f 95 bd d0 7b 19 34 1e 6e b3 99 75 a9 fc cc d2 4c e2 7a 72 68 96 87 01 6f 65 35 09 75 e8 41 04 d8 fd 15 ae b7 28 06 a8 56 c0 50 79 95 67 1f 34 4d 83 84 b3 84 e2 e0 96 2f 87 74 5e 7b 0a a6 65 42 1f ac ac 74 4a f7 e0 f9 cd 26 9e 9d ed 1a b7 47 a7 d6 19 5c 2a 18 37 8d 53 a8 77 56 73 63 1a 6a 27 b5 05 6f 25 bd dd a4 d9 82 9d 43 0c 88 4c 62 8d 95 2b 40 fa 87 59 9f 52 a5 97 de 8c de 1c 62 2e f5 e1 69 1b 76 d2 2e 43 00 9c 55 d2 43 81 e8 65 a7 df c6 7d 87 ab 3e 8a bb 36 bb 2d 57 a0 ed ae fa c0 de 44 3a d8 26 ca 95 28 61 df ef 26 50 8d a1 96 98 f1 fe bd 70 7c fb 3b 7b a8 d5 01 b0 32 79 3a 10 e9 bd de 19 8d 4a 29 2e cd 36 09 e1 46 c7 bc 4a 9a 50 ae c3 03 e6 b1 36 36 f0 5c e9 b8 0b 38 9a 08 39 d9 ac 7e 11 81 f1 48 60 6e 40 a5 3e c6 86 b7 a5 67 b2 19 88 1a f3 24 ba 44 0c 3b db 24 6e 05 39 45 00 d8 ed 19 df 19 0d 6f ca 0b 2f 86 ba c8 00 05 77 59 81 5e 3c 24 d5 a0 15 19 f8 9c 0f ba bc 3f 55 20 72 11 71 07 88 ff 39 c6 71 14 c4 77 2c 62 2f e1 87 37 d3 31 17 ad ef 45 8b 10 b4 51 8d 87 ea 49 dc bb b9 a1 df f7 ea 76 0b e3 7b 01 90 f5 cb dd a3 c3 58 6c 72 80 47 ce 04 a3 67 16 49 99 d6 7c 51 ad 86 c5 1e 2b 44 62 39 03 ec b4 32 f4 75 9b 0f a8 d7 dc 01 db fc 74 2a 9b e3 c2 9b 0d 34 61 eb 7c b5 a3 cb 27 13 a8 b1 c8 22 7c 7e 85 39 62 ef 2b 49 e9 2f 10 78 cc 51 f7 cb e2 78 69 6c 41 d3 98 75 54 0b d0 f4 97 1e 06 95 a8 7e e4 b7 bf 42 24 43 82 d8 2f 90 c9 16 a0 b5 cd d7 22 77 fe 03 e9 2e 7c 8c 42 9c 02 8e 1f 85 05 ad 92 c2 9c 96 fe e0 5e b0 cb d5 5a a6 d7 7f 1e b4 97 8a 72 ea ba f4 b4 16 77 98 e6 f6 37 76 26 40 10 19 07 c2 78 bf 75 6e ed 28 b4 6a 1b 4b 6f 35 7a e5 f2 07 8e 24 ec 21 d9 5c 16 6d 1d 20 67 01 56 d3 26 e0 ae ba 1b 77 eb ad 0e 5f d9 c0 47 5d 2d 4d 2b ac 65 21 ef 99 99 ae bf 8a d1 a6 9a 4a c3 3c db 50 cf c0 74 02 44 8b c3 0a 97 6a b5 4b c8 93 04 ca 85 3c 8e d6 9f 67 c6 00 ad 79 36 03 13 24 48 3d fd 96 e7 cc 7c 19 84 be 66 31 88 e0 31 a4 4b f1 d7 12 ea 9d 49 de 6a 4c 76 52 33 ac 17 bd e9 a4 c0 9a 53 67 03 f2 45 cb f9 d8 04 25 8a e9 77 b9 ae 99 7a 93 Data Ascii: Q?Ur9QYfn<Hv+CF:/U^p]aWZkUOPmt>c'<X{4nuLzrhoe5uA(VPyg4M/t^{eBtJ&G\*7SwVscj'o%CLb+@YRb.iv.CUCe}>6-WD:&
Source: global traffic HTTP traffic detected: POST /ddsolxmfcvq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /nljwtdwahh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /xjjg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /ibdxbfqrqufvuu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /byear HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /ipnvn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /liar HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /jpdlcoeoakm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /d HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /emmmpldkokdghu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /eyywnnlobvqfg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /fwbtaqdcjwd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xlfhhhm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /gcsq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ifsaia.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /hbkwpskje HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xlfhhhm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /js HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: saytjshyf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /feejetjxxjumqw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vcddkls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /scwkixjormncu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ifsaia.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /dgcyhyi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /lnlr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: saytjshyf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /atyxaeuca HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /ioljnnvkrvc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tbjrpv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /vcjmpg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vcddkls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /luaao HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: deoci.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /ewjlslyiisf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /wtdwobcctwkccpvu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /fnaptxelbkqpwkk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /vyoggvtcvxheoco HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qaynky.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /d HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /qjuvsft HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bumxkqgxu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /bvee HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tbjrpv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /nvddaclxpive HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dwrqljrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /h HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: deoci.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /m HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nqwjmb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /pboamknl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /mfuaeqrjbxmv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /nxbumxilirhmvku HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ytctnunms.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /jaumpxr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qaynky.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /ptbejgswjfxl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /xgterudimsf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /mitdmmperwbt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oshhkdluh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /pyts HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bumxkqgxu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /ovcqqvbb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /xphvd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /hpbkng HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dwrqljrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /qmkllgvo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jpskm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /ouftojym HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lrxdmhrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /kaxtgyu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nqwjmb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /h HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wllvnzb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /dpntwbnivmh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ytctnunms.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /mshoclxftgdlbsbo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wllvnzb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /cxtsujgx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /ryysvg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gnqgo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /lihflvfpneg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /ihixrfcnmctn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oshhkdluh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /bsskdfvqijpyfnid HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jhvzpcfg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /dxsssktqcq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: acwjcqqv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /gdfpfuufvopwu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /v HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /qgorjabxoa HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jpskm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /v HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vyome.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /weir HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yauexmxk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /xg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lrxdmhrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /hrvg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: iuzpxe.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /bc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wllvnzb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /hqdytjqsnbt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: sxmiywsfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /bssxxkwdr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gnqgo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /t HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jhvzpcfg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /jweaqenrkqbo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vrrazpdh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /fehxmtmgeeq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: acwjcqqv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /h HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ftxlah.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /aya HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: typgfhb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /sopra HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vyome.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /hb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yauexmxk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /aaxb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: esuzf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /tw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: iuzpxe.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /pa HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gvijgjwkh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /yp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qpnczch.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /ncst HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: sxmiywsfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /ej HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: brsua.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /ccheohdfgxjtt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dlynankz.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /eevmjkkfks HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vrrazpdh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /jqkpdrugusyff HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oflybfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /ktcaihfarwj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ftxlah.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /jqu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yhqqc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /ctr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: typgfhb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /rjfjacxyvik HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: mnjmhp.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /snachosinlefnrw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: esuzf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /rokvfxqf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: opowhhece.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /fkc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jdhhbs.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /rkgoodhecptjykcl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gvijgjwkh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /kitlgdtf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qpnczch.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /gpuqtdsdsmc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: mgmsclkyu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /ieicusmwh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: brsua.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /hhgppons HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: warkcdu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /lcarfqhjjqwitg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dlynankz.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /gvodnknqs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gcedd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /vvlfkuqn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oflybfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /ulhoa HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jwkoeoqns.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /vbfsvakjwax HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yhqqc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /gwahjspinmwkm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xccjj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /wmdddjvyuy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: hehckyov.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /kjomliy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: mnjmhp.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /gimbgsoaqvqvqhf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: rynmcq.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /k HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: uaafd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /tywwnha HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: eufxebus.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /jkmxqkwmcvmo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: opowhhece.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /tm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jdhhbs.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /kyoprhcrfsm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pwlqfu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /avcgsychncpte HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: rrqafepng.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /udhgonlj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: mgmsclkyu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /dumoc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ctdtgwag.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /sq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: warkcdu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /ejbrogxxii HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tnevuluw.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /efgvahmdqrw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: whjovd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /fbtooofknamad HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gcedd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /jftqxekje HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gjogvvpsf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /ecrhfjlr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gjogvvpsf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /jec HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: reczwga.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /kuwwkrnberw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jwkoeoqns.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /iwihrntolwnlxj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bghjpy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /quoefwkpxb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xccjj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /qwxttwlxqjtrapbn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: damcprvgv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /gkelppguisaups HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: hehckyov.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /ldybnpdmgmce HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ocsvqjg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /pkyl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ywffr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /scdrs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: rynmcq.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /yefflviaj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ecxbwt.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /flkouthsl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: uaafd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /pavcpmnglvwlhxt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pectx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /oedtv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: zyiexezl.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /ifmlpkcljjt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: eufxebus.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /guxaecyjiiwu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: banwyw.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /noy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wxgzshna.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /ghy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wxgzshna.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /fxeavmrosc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pwlqfu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /hlcxi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: zrlssa.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /og HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jlqltsjvh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /ohyfmaqfmywges HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: rrqafepng.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /mavqlvnkyqsv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xyrgy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /qewfnkeilkg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: htwqzczce.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /rnkfruqdkxfgjfwn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: htwqzczce.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /yxaoh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ctdtgwag.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /klhalpnmlsyrs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: kvbjaur.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /hiqtpnauanelpf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: uphca.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /gxnuggiifqd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tnevuluw.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /cppxk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fjumtfnz.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /gbqdupu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: whjovd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /wibvfidtxe HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: hlzfuyy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /ugprc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: rffxu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /y HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gjogvvpsf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /qnguomsjnupgml HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gjogvvpsf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /bxvadfmcs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cikivjto.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /lvwolspodwinvctf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qncdaagct.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /wcf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: reczwga.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /cblcujxhilpbxlv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bghjpy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /mchxsqvo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: shpwbsrw.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /dapmb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: damcprvgv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /gmghpoftyccoynqy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ocsvqjg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /cnrdlkv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cjvgcl.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /sfjvwxnay HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: neazudmrq.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /ojgeebrrbqmxd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pgfsvwx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /gtcagitskd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ywffr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /k HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ecxbwt.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /ylviltyasno HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pectx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /ket HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: zyiexezl.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /tukpf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: aatcwo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /pfxv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: banwyw.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /tbjlfrgpjsj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wxgzshna.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /yroespvujukavm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wxgzshna.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /utmatjvdttvmj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: kcyvxytog.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /lyeldophhxwh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: zrlssa.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /dtvapdfrlqmxxmr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nwdnxrd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /ekoddjskuurntxll HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jlqltsjvh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /ljkvkq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ereplfx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /m HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ptrim.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /ipraobeqvefqwo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xyrgy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /anxwhb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: htwqzczce.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /gbpwk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: znwbniskf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /kgrhqg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: htwqzczce.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /dleie HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: kvbjaur.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /wmvbvpamjcuqeg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cpclnad.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /ayqsgvejwqqtuhlw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: uphca.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /sfpm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: mjheo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /ywpgeaid HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fjumtfnz.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /vux HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wluwplyh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /iasdsuhvtygftfd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: hlzfuyy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /kfxwsateoe HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: zgapiej.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /df HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: rffxu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /ewnr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jifai.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /prir HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xnxvnn.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /vfforoslwsi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cikivjto.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /bfwumbhax HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qncdaagct.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /wuqlqwd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ihcnogskt.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /doxg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: shpwbsrw.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /jsxjkxjpifqnuouu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: kkqypycm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /niimxaprbqaffu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: shpwbsrw.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /nfn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: uevrpr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /monvvvssytjyx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fgajqjyhr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /xiubmulosfxjb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: hagujcj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /fb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cjvgcl.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /ymxofohtmnuucvl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: neazudmrq.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /gbk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: sctmku.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /leprwccfmwjgljdl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pgfsvwx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /rbdqbpnxm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qcrsp.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /m HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: aatcwo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /aumopkwtqjj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: sewlqwcd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /mwaqiugfciuwk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dyjdrp.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /nwtkmxcykx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: kcyvxytog.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /rbaauabmruspy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: napws.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /miwimxtpafcu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nwdnxrd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /suayd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nwdnxrd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /wpmohqs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qvuhsaqa.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /wggmqoohnhblgniy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ereplfx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /octb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: apzzls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /unku HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ptrim.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /hqtt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: krnsmlmvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /unuaesdvma HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ptrim.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /photgshiyqocqphc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nlscndwp.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /rbvpvahvdptnmihm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bzkysubds.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /ntn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: znwbniskf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /lo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ltpqsnu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /pjj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vnvbt.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /mprtttkxf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cpclnad.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /goqcyypv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ypituyqsq.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /e HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: mjheo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /gablvhtmh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ijnmvqa.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /fhni HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wluwplyh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /dwgnvhk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tltxn.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /owal HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vgypotwp.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /lnsmaljo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: zgapiej.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /dqpmafmlbtqvhnrg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jifai.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /hxjrtfgka HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: giliplg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /ynoppsxgq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xnxvnn.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /cse HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /frspsabdfrkekfpe HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xnxvnn.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /ciy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /c HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /ep HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ihcnogskt.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /qk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: kkqypycm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /bkannaowk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /dxafj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /kjwscsuqcw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: kkqypycm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /ydykkbm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /iejxbuficdbc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /buyo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: uevrpr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /lqvvkypadsjo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fgajqjyhr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /ueghdwvi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /oikor HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: hagujcj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /vrswaovbjfo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: sctmku.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /tnujqcpipeygk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qcrsp.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /pfkjxd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: sewlqwcd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /cftuaqt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dyjdrp.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /djbusjuctjl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: napws.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /owvxws HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qvuhsaqa.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /koqlarnbbmmihcqk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qvuhsaqa.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /id HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: apzzls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /uya HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: krnsmlmvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /tqpp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nlscndwp.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /tqw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bzkysubds.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /jnrrefrcvyuil HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bzkysubds.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /onwmapinbtfjn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ltpqsnu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /mv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vnvbt.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /ddsiajborqwwhy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ypituyqsq.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /jpofyksbjpqc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ijnmvqa.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /hepqpxnpquciw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tltxn.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /ipjkggwvau HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vgypotwp.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /ftgaslpyp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vgypotwp.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /gkyiuvpnjh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: giliplg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /pflbbequuvruv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /kcplradlsavdg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /j HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /vquxanduoru HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /kiwlk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /cltscgvpwbpfo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /yjt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /s HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /kcqtefqtnxnl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /rdibexbxyl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /ubxmipvolouhvx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /fsfetacrkfueyvf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /jvrhwxrbnsifft HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /ynwfq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /owyyqldgxdmj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xlfhhhm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /errqxstig HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ifsaia.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /tvfuhlf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ifsaia.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /oxhtjjhhtrbh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: saytjshyf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /qioyymw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vcddkls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /qblcwonxq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /rlxco HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /suofoicot HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tbjrpv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /mbdgchbtxsngcq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: deoci.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /rgqdiitmqxim HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /vafskmvpaafcwyhy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: POST /frmapjmyi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /slnbsufsiblm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qaynky.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /rvdlqpusbvnadr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bumxkqgxu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /jeqvy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bumxkqgxu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /tamvxfmbvljef HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dwrqljrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /qruvyya HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nqwjmb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /ae HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ytctnunms.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /uwmqwimibwapay HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /lldlbyoesphcqdkf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /apxsujb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oshhkdluh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /eomxyn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oshhkdluh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /pmatqnbxrumnnfx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /bnjfyckdmdaodoy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /phssgedc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jpskm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /x HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lrxdmhrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /phecjisjxfiw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wllvnzb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /dxuovgh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wllvnzb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /jtyrnesofmrmc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gnqgo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /gorhlmlyitqqsxl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jhvzpcfg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_004422FE InternetQueryDataAvailable,InternetReadFile, 0_2_004422FE
Source: global traffic DNS traffic detected: DNS query: pywolwnvd.biz
Source: global traffic DNS traffic detected: DNS query: ssbzmoy.biz
Source: global traffic DNS traffic detected: DNS query: cvgrf.biz
Source: global traffic DNS traffic detected: DNS query: npukfztj.biz
Source: global traffic DNS traffic detected: DNS query: przvgke.biz
Source: global traffic DNS traffic detected: DNS query: zlenh.biz
Source: global traffic DNS traffic detected: DNS query: knjghuig.biz
Source: global traffic DNS traffic detected: DNS query: uhxqin.biz
Source: global traffic DNS traffic detected: DNS query: anpmnmxo.biz
Source: global traffic DNS traffic detected: DNS query: lpuegx.biz
Source: global traffic DNS traffic detected: DNS query: vjaxhpbji.biz
Source: global traffic DNS traffic detected: DNS query: xlfhhhm.biz
Source: global traffic DNS traffic detected: DNS query: ifsaia.biz
Source: global traffic DNS traffic detected: DNS query: saytjshyf.biz
Source: global traffic DNS traffic detected: DNS query: vcddkls.biz
Source: global traffic DNS traffic detected: DNS query: fwiwk.biz
Source: global traffic DNS traffic detected: DNS query: tbjrpv.biz
Source: global traffic DNS traffic detected: DNS query: deoci.biz
Source: global traffic DNS traffic detected: DNS query: gytujflc.biz
Source: global traffic DNS traffic detected: DNS query: qaynky.biz
Source: global traffic DNS traffic detected: DNS query: bumxkqgxu.biz
Source: global traffic DNS traffic detected: DNS query: dwrqljrr.biz
Source: global traffic DNS traffic detected: DNS query: nqwjmb.biz
Source: global traffic DNS traffic detected: DNS query: ytctnunms.biz
Source: global traffic DNS traffic detected: DNS query: myups.biz
Source: global traffic DNS traffic detected: DNS query: oshhkdluh.biz
Source: global traffic DNS traffic detected: DNS query: yunalwv.biz
Source: global traffic DNS traffic detected: DNS query: jpskm.biz
Source: global traffic DNS traffic detected: DNS query: lrxdmhrr.biz
Source: global traffic DNS traffic detected: DNS query: wllvnzb.biz
Source: global traffic DNS traffic detected: DNS query: gnqgo.biz
Source: global traffic DNS traffic detected: DNS query: jhvzpcfg.biz
Source: global traffic DNS traffic detected: DNS query: acwjcqqv.biz
Source: global traffic DNS traffic detected: DNS query: lejtdj.biz
Source: global traffic DNS traffic detected: DNS query: vyome.biz
Source: global traffic DNS traffic detected: DNS query: yauexmxk.biz
Source: global traffic DNS traffic detected: DNS query: iuzpxe.biz
Source: global traffic DNS traffic detected: DNS query: sxmiywsfv.biz
Source: global traffic DNS traffic detected: DNS query: vrrazpdh.biz
Source: global traffic DNS traffic detected: DNS query: ftxlah.biz
Source: global traffic DNS traffic detected: DNS query: typgfhb.biz
Source: global traffic DNS traffic detected: DNS query: esuzf.biz
Source: global traffic DNS traffic detected: DNS query: gvijgjwkh.biz
Source: global traffic DNS traffic detected: DNS query: qpnczch.biz
Source: global traffic DNS traffic detected: DNS query: brsua.biz
Source: global traffic DNS traffic detected: DNS query: dlynankz.biz
Source: global traffic DNS traffic detected: DNS query: oflybfv.biz
Source: global traffic DNS traffic detected: DNS query: yhqqc.biz
Source: global traffic DNS traffic detected: DNS query: mnjmhp.biz
Source: global traffic DNS traffic detected: DNS query: opowhhece.biz
Source: global traffic DNS traffic detected: DNS query: zjbpaao.biz
Source: global traffic DNS traffic detected: DNS query: jdhhbs.biz
Source: global traffic DNS traffic detected: DNS query: mgmsclkyu.biz
Source: global traffic DNS traffic detected: DNS query: warkcdu.biz
Source: global traffic DNS traffic detected: DNS query: gcedd.biz
Source: global traffic DNS traffic detected: DNS query: jwkoeoqns.biz
Source: global traffic DNS traffic detected: DNS query: xccjj.biz
Source: global traffic DNS traffic detected: DNS query: hehckyov.biz
Source: global traffic DNS traffic detected: DNS query: rynmcq.biz
Source: global traffic DNS traffic detected: DNS query: uaafd.biz
Source: global traffic DNS traffic detected: DNS query: eufxebus.biz
Source: global traffic DNS traffic detected: DNS query: pwlqfu.biz
Source: global traffic DNS traffic detected: DNS query: rrqafepng.biz
Source: global traffic DNS traffic detected: DNS query: ctdtgwag.biz
Source: global traffic DNS traffic detected: DNS query: tnevuluw.biz
Source: global traffic DNS traffic detected: DNS query: whjovd.biz
Source: global traffic DNS traffic detected: DNS query: gjogvvpsf.biz
Source: global traffic DNS traffic detected: DNS query: reczwga.biz
Source: global traffic DNS traffic detected: DNS query: bghjpy.biz
Source: global traffic DNS traffic detected: DNS query: damcprvgv.biz
Source: global traffic DNS traffic detected: DNS query: ocsvqjg.biz
Source: global traffic DNS traffic detected: DNS query: ywffr.biz
Source: global traffic DNS traffic detected: DNS query: ecxbwt.biz
Source: global traffic DNS traffic detected: DNS query: pectx.biz
Source: global traffic DNS traffic detected: DNS query: zyiexezl.biz
Source: global traffic DNS traffic detected: DNS query: banwyw.biz
Source: global traffic DNS traffic detected: DNS query: muapr.biz
Source: global traffic DNS traffic detected: DNS query: wxgzshna.biz
Source: global traffic DNS traffic detected: DNS query: zrlssa.biz
Source: global traffic DNS traffic detected: DNS query: jlqltsjvh.biz
Source: global traffic DNS traffic detected: DNS query: xyrgy.biz
Source: global traffic DNS traffic detected: DNS query: htwqzczce.biz
Source: global traffic DNS traffic detected: DNS query: kvbjaur.biz
Source: global traffic DNS traffic detected: DNS query: uphca.biz
Source: global traffic DNS traffic detected: DNS query: fjumtfnz.biz
Source: global traffic DNS traffic detected: DNS query: hlzfuyy.biz
Source: global traffic DNS traffic detected: DNS query: rffxu.biz
Source: global traffic DNS traffic detected: DNS query: cikivjto.biz
Source: global traffic DNS traffic detected: DNS query: qncdaagct.biz
Source: global traffic DNS traffic detected: DNS query: shpwbsrw.biz
Source: global traffic DNS traffic detected: DNS query: cjvgcl.biz
Source: global traffic DNS traffic detected: DNS query: neazudmrq.biz
Source: global traffic DNS traffic detected: DNS query: pgfsvwx.biz
Source: global traffic DNS traffic detected: DNS query: aatcwo.biz
Source: global traffic DNS traffic detected: DNS query: kcyvxytog.biz
Source: global traffic DNS traffic detected: DNS query: nwdnxrd.biz
Source: global traffic DNS traffic detected: DNS query: ereplfx.biz
Source: global traffic DNS traffic detected: DNS query: ptrim.biz
Source: global traffic DNS traffic detected: DNS query: znwbniskf.biz
Source: global traffic DNS traffic detected: DNS query: cpclnad.biz
Source: unknown HTTP traffic detected: POST /bvjounbjkagqnta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 786
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 08 Oct 2024 13:28:45 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 08 Oct 2024 13:28:45 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 08 Oct 2024 13:28:49 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 08 Oct 2024 13:28:49 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 08 Oct 2024 13:28:49 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 08 Oct 2024 13:28:49 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 08 Oct 2024 13:28:50 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 08 Oct 2024 13:28:53 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 08 Oct 2024 13:28:54 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 08 Oct 2024 13:28:59 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 08 Oct 2024 13:28:59 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.27.2Date: Tue, 08 Oct 2024 13:29:13 GMTTransfer-Encoding: chunkedConnection: keep-aliveKeep-Alive: timeout=20Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.27.2Date: Tue, 08 Oct 2024 13:29:21 GMTTransfer-Encoding: chunkedConnection: keep-aliveKeep-Alive: timeout=20Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 08 Oct 2024 13:29:34 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 08 Oct 2024 13:29:34 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 08 Oct 2024 13:29:50 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 08 Oct 2024 13:29:50 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 08 Oct 2024 13:31:44 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 08 Oct 2024 13:31:44 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 08 Oct 2024 13:31:51 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 08 Oct 2024 13:31:51 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: alg.exe, 00000008.00000003.2316109693.000000000053E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://13.251.16.150/
Source: alg.exe, 00000008.00000003.2316109693.000000000053E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://13.251.16.150/3
Source: svchost.exe, 00000006.00000003.2551581839.00000000030A6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2550628200.00000000030A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://13.251.16.150/hrvgX
Source: alg.exe, 00000008.00000003.2431200193.0000000000573000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2416150637.0000000000573000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2440149146.0000000000573000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://13.251.16.150/jaumpxrl
Source: alg.exe, 00000008.00000003.2316109693.0000000000530000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2316109693.000000000053E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://13.251.16.150/scwkixjormncu
Source: alg.exe, 00000008.00000003.2316109693.000000000053E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://13.251.16.150/scwkixjormncus
Source: svchost.exe, 00000006.00000003.2551581839.00000000030A6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2550628200.00000000030A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://13.251.16.150:80/hqdytjqsnbtC
Source: svchost.exe, 00000006.00000003.2551581839.00000000030A6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2550628200.00000000030A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://13.251.16.150:80/hrvgrobat
Source: svchost.exe, 00000006.00000003.2551441037.000000000307D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2552020416.0000000003082000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://165.160.13.20/ptbejgswjfxl
Source: alg.exe, 00000008.00000003.2361537798.000000000057E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.234.222.138/d
Source: alg.exe, 00000008.00000003.1942321512.000000000053E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.234.222.143/
Source: alg.exe, 00000008.00000003.1942321512.000000000053E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.234.222.143/$
Source: alg.exe, 00000008.00000003.1942321512.000000000053E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.234.222.143/0
Source: svchost.exe, 00000006.00000003.2395862116.000000000307A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.234.222.143/atyxaeuca
Source: svchost.exe, 00000006.00000003.2395862116.000000000307A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.234.222.143/dgcyhyi
Source: alg.exe, 00000008.00000003.1942321512.000000000053E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.234.222.143/nljwtdwahh
Source: alg.exe, 00000008.00000003.1942321512.000000000053E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.234.222.143/nljwtdwahhgs
Source: alg.exe, 00000008.00000003.1942321512.000000000053E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.234.222.143/t
Source: alg.exe, 00000008.00000003.2251017479.0000000000558000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2033579316.0000000000558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.234.222.143:80/xjjg
Source: alg.exe, 00000008.00000003.2614951526.0000000000590000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.1942321512.000000000053E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.1922932295.000000000053E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2573297149.000000000058F000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.1905150358.000000000053E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2564994395.000000000058E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2599053354.000000000058F000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.1905662972.000000000053E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107/
Source: alg.exe, 00000008.00000003.1922932295.000000000053E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.1905150358.000000000053E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.1905662972.000000000053E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107/aky
Source: alg.exe, 00000008.00000003.1904970187.000000000055E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107/aky.177/dq
Source: alg.exe, 00000008.00000003.1905150358.000000000053E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.1905662972.000000000053E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107/akyttings
Source: alg.exe, 00000008.00000003.2531077401.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107/bc
Source: svchost.exe, 00000006.00000003.2551441037.000000000307D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2552020416.0000000003082000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107/dxsssktqcq
Source: alg.exe, 00000008.00000003.3137092544.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3163550787.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3142560146.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3154349720.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3149933208.00000000005D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107/ekoddjskuurntxll
Source: alg.exe, 00000008.00000003.2981382953.00000000005C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107/gbqdupu
Source: alg.exe, 00000008.00000003.1905150358.000000000053E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107/ky
Source: alg.exe, 00000008.00000003.1922932295.0000000000558000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.1905150358.0000000000558000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.1913832298.0000000000558000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.1905662972.0000000000558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107:80/akythernet0-QoS
Source: alg.exe, 00000008.00000003.2251017479.0000000000558000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2033579316.0000000000558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107:80/byear
Source: alg.exe, 00000008.00000003.2846373705.0000000000590000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.208.156.248/
Source: alg.exe, 00000008.00000003.2644014392.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.208.156.248/hbv
Source: alg.exe, 00000008.00000003.3163550787.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3179831563.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3142560146.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3170087253.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3154349720.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3149933208.00000000005D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.208.156.248/ipraobeqvefqwo~J
Source: svchost.exe, 00000006.00000003.2551441037.000000000307D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.208.156.248/weir
Source: svchost.exe, 00000006.00000003.2395862116.000000000307A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://208.100.26.245/ewjlslyiisf
Source: alg.exe, 00000008.00000003.2396437927.0000000000573000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://208.100.26.245/pboamknl
Source: alg.exe, 00000008.00000003.3072571369.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3042269569.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3023182878.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3013990554.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3053741021.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3081392177.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3096626159.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3033736358.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3091151676.00000000005D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://208.100.26.245/qnguomsjnupgmlrKG
Source: alg.exe, 00000008.00000003.2913758256.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2903231630.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2952832694.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2962263699.00000000005C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://3.254.94.185/flkouthsl
Source: alg.exe, 00000008.00000003.3072571369.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3053741021.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3081392177.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3096626159.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3091151676.00000000005D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://3.254.94.185/gmghpoftyccoynqy
Source: alg.exe, 00000008.00000003.2699036567.00000000005CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://3.254.94.185/ieicusmwh
Source: alg.exe, 00000008.00000003.2458126956.0000000000573000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2459638272.0000000000573000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://3.94.10.34/dpntwbnivmh
Source: svchost.exe, 00000006.00000003.2551441037.000000000307D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2552020416.0000000003082000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://3.94.10.34/nxbumxilirhmvku
Source: alg.exe, 00000008.00000003.2678532380.0000000000581000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2724357178.000000000057E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2735370442.000000000057C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://3.94.10.34/rkgoodhecptjykcl
Source: alg.exe, 00000008.00000003.3072571369.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3042269569.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3053741021.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3081392177.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3096626159.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3033736358.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3091151676.00000000005D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://34.211.97.45/cblcujxhilpbxlv
Source: alg.exe, 00000008.00000003.2644014392.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://34.211.97.45/eevmjkkfks
Source: alg.exe, 00000008.00000003.3191302720.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3201005428.00000000005D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://34.211.97.45/iasdsuhvtygftfd~J
Source: svchost.exe, 00000006.00000003.2551441037.000000000307D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2552020416.0000000003082000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://34.211.97.45/jweaqenrkqbo
Source: alg.exe, 00000008.00000003.2678532380.0000000000581000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://34.211.97.45/snachosinlefnrw
Source: alg.exe, 00000008.00000003.2818358771.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2789761856.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2768064977.00000000005CA000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2839959599.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2751327328.00000000005CA000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2734340919.00000000005CA000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2802220414.00000000005C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://34.211.97.45/vbfsvakjwax
Source: alg.exe, 00000008.00000003.2914740529.000000000058F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://34.246.200.160/
Source: alg.exe, 00000008.00000003.2935944224.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2953580866.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2981382953.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2962263699.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2913758256.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2931823808.00000000005CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://34.246.200.160/fxeavmroscrKG
Source: svchost.exe, 00000006.00000003.2395862116.000000000307A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://34.246.200.160/ioljnnvkrvc
Source: alg.exe, 00000008.00000003.2818358771.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2802220414.00000000005C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://34.246.200.160/udhgonlj7S
Source: alg.exe, 00000008.00000003.3072571369.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3042269569.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3023182878.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3013990554.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3053741021.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2981382953.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3081392177.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2962263699.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3096626159.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3033736358.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3091151676.00000000005D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://35.164.78.200/gxnuggiifqd
Source: alg.exe, 00000008.00000003.2451615823.0000000000573000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://35.164.78.200/kaxtgyul
Source: alg.exe, 00000008.00000003.2853288419.0000000000590000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.213.104.86/
Source: alg.exe, 00000008.00000003.2686547662.00000000005CA000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2699036567.00000000005CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.213.104.86/kitlgdtfGS
Source: alg.exe, 00000008.00000003.2913758256.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2903231630.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2981382953.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2952832694.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2876522612.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2962263699.00000000005C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.213.104.86/quoefwkpxb
Source: alg.exe, 00000008.00000003.3096626159.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3091151676.00000000005D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.213.104.86/ylviltyasno
Source: alg.exe, 00000008.00000003.3191302720.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3179831563.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3170087253.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3201005428.00000000005D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.221.84.105/ayqsgvejwqqtuhlw
Source: alg.exe, 00000008.00000003.1942321512.000000000053E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.221.84.105/ky
Source: alg.exe, 00000008.00000003.3137092544.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3163550787.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3191302720.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3179831563.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3142560146.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3120974183.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3170087253.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3201005428.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3154349720.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3149933208.00000000005D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.221.84.105/lyeldophhxwh
Source: alg.exe, 00000008.00000003.1935095606.0000000000558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.221.84.105:80/dgeuecvnet0-QoS
Source: alg.exe, 00000008.00000003.2642728992.0000000000593000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2291885104.000000000053E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2316109693.000000000053E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.129.31.212/
Source: alg.exe, 00000008.00000003.2291885104.000000000053E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.129.31.212/(
Source: alg.exe, 00000008.00000003.2291885104.000000000053E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.129.31.212/0eS0
Source: alg.exe, 00000008.00000003.2291885104.000000000053E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.129.31.212/1
Source: svchost.exe, 00000006.00000003.2395862116.000000000307A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.129.31.212/fwbtaqdcjwd
Source: svchost.exe, 00000006.00000003.2551581839.00000000030A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.129.31.212/h
Source: alg.exe, 00000008.00000003.2316109693.0000000000530000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2291885104.000000000053E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.129.31.212/hbkwpskje
Source: alg.exe, 00000008.00000003.2291885104.000000000053E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.129.31.212/hbkwpskje&
Source: alg.exe, 00000008.00000003.2818358771.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2789761856.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2768064977.00000000005CA000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2839959599.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2845735610.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2751327328.00000000005CA000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2802220414.00000000005C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.129.31.212/kjomliy
Source: alg.exe, 00000008.00000003.2678532380.0000000000581000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2642728992.000000000057F000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2659943434.0000000000581000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.129.31.212/ktcaihfarwj=Thu
Source: alg.exe, 00000008.00000003.2935944224.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2953580866.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3072571369.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3042269569.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3023182878.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3013990554.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3053741021.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2981382953.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3081392177.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2962263699.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3096626159.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3033736358.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3091151676.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2931823808.00000000005CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.129.31.212/ohyfmaqfmywges
Source: alg.exe, 00000008.00000003.2723489835.00000000005CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.129.31.212/vvlfkuqn
Source: svchost.exe, 00000006.00000003.2551581839.00000000030A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.129.31.212:80/h
Source: alg.exe, 00000008.00000003.1922932295.000000000053E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.1905150358.000000000053E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.1890513668.000000000053E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2509496925.0000000000591000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.1905662972.000000000053E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://54.244.188.177/
Source: alg.exe, 00000008.00000003.1890190874.0000000000561000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.1890513668.000000000053E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://54.244.188.177/dqlfliuucamv
Source: alg.exe, 00000008.00000003.1922932295.000000000053E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://54.244.188.177/elpwpt
Source: alg.exe, 00000008.00000003.1922932295.000000000053E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://54.244.188.177/elpwptings7
Source: alg.exe, 00000008.00000003.3072571369.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3081392177.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3096626159.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3091151676.00000000005D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://54.244.188.177/gtcagitskd5K
Source: svchost.exe, 00000006.00000003.2551441037.000000000307D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2552020416.0000000003082000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://54.244.188.177/ouftojymf
Source: alg.exe, 00000008.00000003.2876522612.00000000005C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://54.244.188.177/scdrs
Source: alg.exe, 00000008.00000003.1922932295.000000000053E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://54.244.188.177/t
Source: alg.exe, 00000008.00000003.1935095606.0000000000558000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.1922932295.0000000000558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://54.244.188.177:80/elpwpt
Source: alg.exe, 00000008.00000003.1935095606.0000000000558000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.1922932295.0000000000558000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.1913832298.0000000000558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://54.244.188.177:80/hbj
Source: alg.exe, 00000008.00000003.3120974183.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3114893360.00000000005D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://72.52.178.23/yroespvujukavm
Source: alg.exe, 00000008.00000003.2274545313.000000000053E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2275600382.0000000000573000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2273228432.0000000000581000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2250681859.0000000000581000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2276387864.000000000057E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.112.184.197/
Source: alg.exe, 00000008.00000003.2274545313.000000000053E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.112.184.197/0
Source: alg.exe, 00000008.00000003.2274545313.000000000053E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.112.184.197/S
Source: svchost.exe, 00000006.00000003.2395862116.000000000307A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.112.184.197/ddsolxmfcvq
Source: alg.exe, 00000008.00000003.2274545313.000000000053E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2274545313.0000000000530000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.112.184.197/eyywnnlobvqfg
Source: alg.exe, 00000008.00000003.2274545313.000000000053E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.112.184.197/eyywnnlobvqfgs
Source: alg.exe, 00000008.00000003.2274545313.000000000053E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2291885104.000000000053E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2316109693.000000000053E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.112.184.197/gs
Source: alg.exe, 00000008.00000003.2274545313.000000000053E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.112.184.197/iar
Source: alg.exe, 00000008.00000003.2274545313.000000000053E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2291885104.000000000053E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2316109693.000000000053E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.112.184.197/ipnvn$
Source: alg.exe, 00000008.00000003.2250815667.0000000000560000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2274270451.0000000000565000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2273228432.0000000000560000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.112.184.197/liar
Source: alg.exe, 00000008.00000003.2033350591.0000000000560000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.112.184.197/w
Source: alg.exe, 00000008.00000003.2033350591.0000000000560000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.112.184.197/w.
Source: alg.exe, 00000008.00000003.2251017479.0000000000558000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2033579316.0000000000558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.112.184.197:80/ipnvn
Source: alg.exe, 00000008.00000003.2251017479.0000000000558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.112.184.197:80/liar
Source: alg.exe, 00000008.00000003.2251017479.0000000000558000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2033579316.0000000000558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.112.184.197:80/w
Source: name.exe, 00000001.00000002.1806914004.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000003.00000002.1824115002.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000005.00000002.1848783066.0000000003D80000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp/C
Source: svchost.exe, 00000006.00000003.2218266234.0000000004C40000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: svchost.exe, 00000006.00000003.2327106139.0000000004B90000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crxFailed
Source: svchost.exe, 00000006.00000003.2328526659.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2328772433.0000000004B90000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crxHKEY_LOCAL_MACHINE
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_0045A10F
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_0045A10F
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 1_2_0045A10F
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 3_2_0045A10F
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_0046DCB4 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_0046DCB4
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_0044C37A GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,SendInput, 0_2_0044C37A
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_0047C81C SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 0_2_0047C81C
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_0047C81C SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 1_2_0047C81C
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_0047C81C SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 3_2_0047C81C
Yara detected Keylogger Generic
Source: Yara match File source: 1.2.name.exe.3c50000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.name.exe.3d80000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.name.exe.3d80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.name.exe.39b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.name.exe.3d80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.name.exe.3d80000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.name.exe.3c50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.name.exe.39b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.1824115002.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1806914004.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.1962839216.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.1958069943.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1848783066.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: name.exe PID: 4420, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: name.exe PID: 2084, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: name.exe PID: 6908, type: MEMORYSTR

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 1.2.name.exe.3c50000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.name.exe.3d80000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.name.exe.3d80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.name.exe.39b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.name.exe.3d80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.name.exe.3d80000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.name.exe.3c50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.name.exe.39b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.1824115002.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1806914004.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.1962839216.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.1958069943.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1848783066.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.1959006729.0000000000822000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: name.exe PID: 4420, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: name.exe PID: 2084, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: name.exe PID: 6908, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 1.2.name.exe.3c50000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 1.2.name.exe.3c50000.1.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.name.exe.3d80000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3.2.name.exe.3d80000.1.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 5.2.name.exe.3d80000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 5.2.name.exe.3d80000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 22.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 22.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 22.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 22.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 22.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 18.2.name.exe.39b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 18.2.name.exe.39b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.name.exe.3d80000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3.2.name.exe.3d80000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 5.2.name.exe.3d80000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 5.2.name.exe.3d80000.1.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 1.2.name.exe.3c50000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 1.2.name.exe.3c50000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 18.2.name.exe.39b0000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 18.2.name.exe.39b0000.1.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000003.00000002.1824115002.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000003.00000002.1824115002.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000001.00000002.1806914004.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000001.00000002.1806914004.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000012.00000002.1962839216.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000012.00000002.1962839216.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000016.00000002.1958069943.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000016.00000002.1958069943.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000016.00000002.1958069943.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000005.00000002.1848783066.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000005.00000002.1848783066.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: name.exe PID: 4420, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: name.exe PID: 2084, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: name.exe PID: 6908, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\svchost.exe Process Stats: CPU usage > 49%
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_00431BE8: GetFullPathNameW,__swprintf,_wcslen,CreateDirectoryW,CreateFileW,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle, 0_2_00431BE8
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_00446313 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 0_2_00446313
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 0_2_004333BE
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 1_2_004333BE
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 3_2_004333BE
Creates files inside the system directory
Source: C:\Windows\System32\alg.exe File created: C:\Windows\system32\config\systemprofile\AppData\Roaming\73722fd785394ff7.bin Jump to behavior
Source: C:\Windows\System32\wbengine.exe File created: C:\Windows\Logs\WindowsBackup
Detected potential crypto function
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_004096A0 0_2_004096A0
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_0042200C 0_2_0042200C
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_0041A217 0_2_0041A217
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_00412216 0_2_00412216
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_0042435D 0_2_0042435D
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_004033C0 0_2_004033C0
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_004125E8 0_2_004125E8
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_0044663B 0_2_0044663B
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_00413801 0_2_00413801
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_0042096F 0_2_0042096F
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_004129D0 0_2_004129D0
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_004119E3 0_2_004119E3
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_0041C9AE 0_2_0041C9AE
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_0047EA6F 0_2_0047EA6F
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_0040FA10 0_2_0040FA10
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_00423C81 0_2_00423C81
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_00411E78 0_2_00411E78
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_00442E0C 0_2_00442E0C
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_00420EC0 0_2_00420EC0
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_0044CF17 0_2_0044CF17
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_0493B3F8 0_2_0493B3F8
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_004096A0 1_2_004096A0
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_0042200C 1_2_0042200C
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_0041A217 1_2_0041A217
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_00412216 1_2_00412216
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_0042435D 1_2_0042435D
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_004033C0 1_2_004033C0
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_0044F430 1_2_0044F430
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_004125E8 1_2_004125E8
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_0044663B 1_2_0044663B
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_00413801 1_2_00413801
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_0042096F 1_2_0042096F
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_004129D0 1_2_004129D0
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_004119E3 1_2_004119E3
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_0041C9AE 1_2_0041C9AE
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_0047EA6F 1_2_0047EA6F
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_0040FA10 1_2_0040FA10
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_0044EB59 1_2_0044EB59
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_00423C81 1_2_00423C81
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_00411E78 1_2_00411E78
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_00442E0C 1_2_00442E0C
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_00420EC0 1_2_00420EC0
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_0044CF17 1_2_0044CF17
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_00444FD2 1_2_00444FD2
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_04C10638 1_2_04C10638
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_004096A0 3_2_004096A0
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_0042200C 3_2_0042200C
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_0041A217 3_2_0041A217
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_00412216 3_2_00412216
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_0042435D 3_2_0042435D
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_004033C0 3_2_004033C0
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_0044F430 3_2_0044F430
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_004125E8 3_2_004125E8
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_0044663B 3_2_0044663B
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_00413801 3_2_00413801
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_0042096F 3_2_0042096F
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_004129D0 3_2_004129D0
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_004119E3 3_2_004119E3
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_0041C9AE 3_2_0041C9AE
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_0047EA6F 3_2_0047EA6F
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_0040FA10 3_2_0040FA10
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_0044EB59 3_2_0044EB59
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_00423C81 3_2_00423C81
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_00411E78 3_2_00411E78
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_00442E0C 3_2_00442E0C
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_00420EC0 3_2_00420EC0
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_0044CF17 3_2_0044CF17
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_00444FD2 3_2_00444FD2
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_04CE6680 3_2_04CE6680
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 5_2_04CD9640 5_2_04CD9640
Source: C:\Windows\System32\AppVClient.exe Code function: 12_2_0055A810 12_2_0055A810
Source: C:\Windows\System32\AppVClient.exe Code function: 12_2_00537C00 12_2_00537C00
Source: C:\Windows\System32\AppVClient.exe Code function: 12_2_00562D40 12_2_00562D40
Source: C:\Windows\System32\AppVClient.exe Code function: 12_2_005379F0 12_2_005379F0
Source: C:\Windows\System32\AppVClient.exe Code function: 12_2_0055EEB0 12_2_0055EEB0
Source: C:\Windows\System32\AppVClient.exe Code function: 12_2_005592A0 12_2_005592A0
Source: C:\Windows\System32\AppVClient.exe Code function: 12_2_005593B0 12_2_005593B0
Source: C:\Windows\System32\FXSSVC.exe Code function: 15_2_009AA810 15_2_009AA810
Source: C:\Windows\System32\FXSSVC.exe Code function: 15_2_00987C00 15_2_00987C00
Source: C:\Windows\System32\FXSSVC.exe Code function: 15_2_009879F0 15_2_009879F0
Source: C:\Windows\System32\FXSSVC.exe Code function: 15_2_009B2D40 15_2_009B2D40
Source: C:\Windows\System32\FXSSVC.exe Code function: 15_2_009AEEB0 15_2_009AEEB0
Source: C:\Windows\System32\FXSSVC.exe Code function: 15_2_009A92A0 15_2_009A92A0
Source: C:\Windows\System32\FXSSVC.exe Code function: 15_2_009A93B0 15_2_009A93B0
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 18_2_04C17668 18_2_04C17668
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Code function: 19_2_01A379F0 19_2_01A379F0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Code function: 19_2_01A62D40 19_2_01A62D40
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Code function: 19_2_01A37C00 19_2_01A37C00
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Code function: 19_2_01A5A810 19_2_01A5A810
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Code function: 19_2_01A593B0 19_2_01A593B0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Code function: 19_2_01A592A0 19_2_01A592A0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Code function: 19_2_01A5EEB0 19_2_01A5EEB0
Enables driver privileges
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Process token adjusted: Load Driver
Enables security privileges
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Process token adjusted: Security
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: String function: 004115D7 appears 35 times
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: String function: 00416C70 appears 39 times
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: String function: 00445AE0 appears 65 times
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: String function: 0040E710 appears 44 times
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: String function: 00401B10 appears 50 times
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: String function: 00408F40 appears 38 times
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: String function: 004301F8 appears 36 times
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: String function: 004115D7 appears 72 times
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: String function: 00416C70 appears 78 times
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: String function: 004181F2 appears 42 times
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: String function: 00445AE0 appears 130 times
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: String function: 0041341F appears 36 times
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: String function: 00422240 appears 36 times
PE file contains executable resources (Code or Archives)
Source: 117.0.5938.132_chrome_installer.exe.6.dr Static PE information: Resource name: B7 type: 7-zip archive data, version 0.4
Source: 117.0.5938.132_chrome_installer.exe.6.dr Static PE information: Resource name: BL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 1522998 bytes, 1 file, at 0x2c +A "setup.exe", number 1, 133 datablocks, 0x1203 compression
Source: Acrobat.exe.6.dr Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
PE file contains more sections than normal
Source: msedgewebview2.exe.6.dr Static PE information: Number of sections : 14 > 10
Source: msedge_pwa_launcher.exe.6.dr Static PE information: Number of sections : 13 > 10
Source: msedge_proxy.exe0.6.dr Static PE information: Number of sections : 12 > 10
Source: pwahelper.exe0.6.dr Static PE information: Number of sections : 12 > 10
Source: identity_helper.exe.6.dr Static PE information: Number of sections : 12 > 10
Source: pwahelper.exe.6.dr Static PE information: Number of sections : 12 > 10
Source: elevation_service.exe.6.dr Static PE information: Number of sections : 12 > 10
Source: ie_to_edge_stub.exe.6.dr Static PE information: Number of sections : 11 > 10
Source: msedge_proxy.exe.6.dr Static PE information: Number of sections : 12 > 10
Source: elevation_service.exe0.6.dr Static PE information: Number of sections : 12 > 10
Source: notification_click_helper.exe.6.dr Static PE information: Number of sections : 13 > 10
Source: firefox.exe.6.dr Static PE information: Number of sections : 11 > 10
Source: setup.exe.6.dr Static PE information: Number of sections : 13 > 10
Spawns drivers
Source: unknown Driver loaded: C:\Windows\System32\drivers\AppVStrm.sys
Uses 32bit PE files
Source: tyRPPK48Mk.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Yara signature match
Source: 1.2.name.exe.3c50000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 1.2.name.exe.3c50000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.name.exe.3d80000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 3.2.name.exe.3d80000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 5.2.name.exe.3d80000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 5.2.name.exe.3d80000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 22.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 22.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 22.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 22.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 22.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 18.2.name.exe.39b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 18.2.name.exe.39b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.name.exe.3d80000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 3.2.name.exe.3d80000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 5.2.name.exe.3d80000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 5.2.name.exe.3d80000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 1.2.name.exe.3c50000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 1.2.name.exe.3c50000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 18.2.name.exe.39b0000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 18.2.name.exe.39b0000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000003.00000002.1824115002.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000003.00000002.1824115002.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000001.00000002.1806914004.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000001.00000002.1806914004.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000012.00000002.1962839216.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000012.00000002.1962839216.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000016.00000002.1958069943.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000016.00000002.1958069943.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000016.00000002.1958069943.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000005.00000002.1848783066.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000005.00000002.1848783066.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: name.exe PID: 4420, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: name.exe PID: 2084, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: name.exe PID: 6908, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: default-browser-agent.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: firefox.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleCrashHandler.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleCrashHandler64.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdate.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateBroker.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateComRegisterShell64.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateCore.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: maintenanceservice.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateOnDemand.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: minidump-analyzer.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 117.0.5938.132_chrome_installer.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pingsender.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jabswitch.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: plugin-container.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: private_browsing.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: updater.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info_x64.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe0.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: maintenanceservice.exe0.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msdtc.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msiexec.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java-rmi.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javacpl.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe0.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: armsvc.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jjs.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: alg.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jp2launcher.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: keytool.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVClient.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: kinit.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: DiagnosticsHub.StandardCollector.Service.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: klist.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: FXSSVC.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: PerceptionSimulationService.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: perfhost.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Locator.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MsSense.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SensorDataService.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: snmptrap.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ktab.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: orbd.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pack200.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: policytool.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmid.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmiregistry.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: servertool.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ssvagent.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: tnameserv.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: unpack200.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Spectrum.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ssh-agent.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: TieringEngineService.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AgentService.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: vds.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: VSSVC.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: wbengine.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: WmiApSrv.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: wmpnetwk.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SearchIndexer.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ie_to_edge_stub.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: cookie_exporter.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: identity_helper.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: setup.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedgewebview2.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_proxy.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_pwa_launcher.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: notification_click_helper.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pwahelper.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_proxy.exe0.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7z.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7zFM.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7zG.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Acrobat.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcrobatInfo.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: acrobat_sl.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcroBroker.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcroCEF.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pwahelper.exe0.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: default-browser-agent.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: firefox.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleCrashHandler.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleCrashHandler64.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdate.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateBroker.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateComRegisterShell64.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateCore.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: maintenanceservice.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateOnDemand.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: minidump-analyzer.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 117.0.5938.132_chrome_installer.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pingsender.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jabswitch.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: plugin-container.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: private_browsing.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: updater.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info_x64.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe0.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: maintenanceservice.exe0.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msdtc.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msiexec.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java-rmi.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javacpl.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe0.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: armsvc.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jjs.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: alg.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jp2launcher.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: keytool.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVClient.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: kinit.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: DiagnosticsHub.StandardCollector.Service.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: klist.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: FXSSVC.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: PerceptionSimulationService.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: perfhost.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Locator.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MsSense.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SensorDataService.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: snmptrap.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ktab.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: orbd.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pack200.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: policytool.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmid.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmiregistry.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: servertool.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ssvagent.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: tnameserv.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: unpack200.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Spectrum.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ssh-agent.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: TieringEngineService.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AgentService.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: vds.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: VSSVC.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: wbengine.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: WmiApSrv.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: wmpnetwk.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SearchIndexer.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ie_to_edge_stub.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: cookie_exporter.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: identity_helper.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: setup.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedgewebview2.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_proxy.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_pwa_launcher.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: notification_click_helper.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pwahelper.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_proxy.exe0.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7z.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7zFM.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7zG.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Acrobat.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcrobatInfo.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: acrobat_sl.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcroBroker.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcroCEF.exe.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pwahelper.exe0.6.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: classification engine Classification label: mal100.spre.troj.expl.evad.winEXE@36/157@327/21
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_0044AF6C GetLastError,FormatMessageW, 0_2_0044AF6C
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 0_2_004333BE
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_00464EAE OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle, 0_2_00464EAE
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 1_2_004333BE
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_00464EAE OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle, 1_2_00464EAE
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 3_2_004333BE
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_00464EAE OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle, 3_2_00464EAE
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_0045D619 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode, 0_2_0045D619
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_004755C4 CreateToolhelp32Snapshot,Process32FirstW,__wsplitpath,_wcscat,__wcsicoll,Process32NextW,CloseHandle, 0_2_004755C4
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_0047839D CoInitialize,CoCreateInstance,CoUninitialize, 0_2_0047839D
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_0043305F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx, 0_2_0043305F
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe File created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe File created: C:\Users\user\AppData\Local\directory Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Mutant created: \Sessions\1\BaseNamedObjects\Rmc-98KSNN
Source: C:\Windows\SysWOW64\svchost.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-73722fd785394ff77d8e3ee9-b
Source: C:\Windows\SysWOW64\svchost.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-73722fd785394ff7-inf
Source: C:\Windows\System32\alg.exe Mutant created: \BaseNamedObjects\Global\Multiarch.m0yv-73722fd785394ff79ea72c54-b
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe File created: C:\Users\user\AppData\Local\Temp\woolpress Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"
Source: tyRPPK48Mk.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: tyRPPK48Mk.exe ReversingLabs: Detection: 73%
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe File read: C:\Users\user\Desktop\tyRPPK48Mk.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\tyRPPK48Mk.exe "C:\Users\user\Desktop\tyRPPK48Mk.exe"
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\Desktop\tyRPPK48Mk.exe"
Source: C:\Users\user\AppData\Local\directory\name.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\tyRPPK48Mk.exe"
Source: C:\Users\user\AppData\Local\directory\name.exe Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"
Source: C:\Users\user\AppData\Local\directory\name.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\directory\name.exe"
Source: C:\Users\user\AppData\Local\directory\name.exe Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"
Source: C:\Users\user\AppData\Local\directory\name.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\directory\name.exe"
Source: C:\Users\user\AppData\Local\directory\name.exe Process created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
Source: unknown Process created: C:\Windows\System32\alg.exe C:\Windows\System32\alg.exe
Source: unknown Process created: C:\Windows\System32\AppVClient.exe C:\Windows\system32\AppVClient.exe
Source: unknown Process created: C:\Windows\System32\FXSSVC.exe C:\Windows\system32\fxssvc.exe
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"
Source: unknown Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"
Source: unknown Process created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
Source: unknown Process created: C:\Windows\System32\msdtc.exe C:\Windows\System32\msdtc.exe
Source: C:\Users\user\AppData\Local\directory\name.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\directory\name.exe"
Source: unknown Process created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
Source: unknown Process created: C:\Windows\SysWOW64\perfhost.exe C:\Windows\SysWow64\perfhost.exe
Source: unknown Process created: C:\Windows\System32\Locator.exe C:\Windows\system32\locator.exe
Source: unknown Process created: C:\Windows\System32\SensorDataService.exe C:\Windows\System32\SensorDataService.exe
Source: unknown Process created: C:\Windows\System32\snmptrap.exe C:\Windows\System32\snmptrap.exe
Source: unknown Process created: C:\Windows\System32\Spectrum.exe C:\Windows\system32\spectrum.exe
Source: unknown Process created: C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Windows\System32\OpenSSH\ssh-agent.exe
Source: unknown Process created: C:\Windows\System32\TieringEngineService.exe C:\Windows\system32\TieringEngineService.exe
Source: unknown Process created: C:\Windows\System32\AgentService.exe C:\Windows\system32\AgentService.exe
Source: unknown Process created: C:\Windows\System32\vds.exe C:\Windows\System32\vds.exe
Source: unknown Process created: C:\Windows\System32\wbengine.exe "C:\Windows\system32\wbengine.exe"
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\Desktop\tyRPPK48Mk.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\tyRPPK48Mk.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\directory\name.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\directory\name.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"
Source: C:\Users\user\AppData\Local\directory\name.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\directory\name.exe"
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: drprov.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ntlanman.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: davclnt.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: davhlpr.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: browcli.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\AppVClient.exe Section loaded: appvpolicy.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: userenv.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: wtsapi32.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: netapi32.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: secur32.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: wininet.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: netutils.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: samcli.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: logoncli.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: mpr.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: appmanagementconfiguration.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: version.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: tapi32.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: credui.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: fxstiff.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: mpr.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: secur32.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: sppc.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: fxsresm.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: ualapi.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: sppc.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: sppc.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: wldp.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: profapi.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: sppc.dll
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe Section loaded: mlang.dll
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Section loaded: mpr.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Section loaded: secur32.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Section loaded: drprov.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Section loaded: winsta.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Section loaded: ntlanman.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Section loaded: davclnt.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Section loaded: davhlpr.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Section loaded: wkscli.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Section loaded: cscapi.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Section loaded: netutils.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Section loaded: browcli.dll
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Section loaded: version.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Section loaded: mpr.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Section loaded: secur32.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: msdtctm.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: msdtcprx.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: msdtclog.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: mtxclu.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: winmm.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: clusapi.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: xolehlp.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: mtxclu.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: ktmw32.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: clusapi.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: resutils.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: resutils.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: mpr.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: secur32.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: comres.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: msdtcvsp1res.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: mtxoci.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: oci.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: cscapi.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: netutils.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: firewallapi.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: fwbase.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: drprov.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: winsta.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: ntlanman.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: davclnt.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: davhlpr.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: browcli.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: rstrtmgr.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: tyRPPK48Mk.exe Static file information: File size 3101805 > 1048576
Source: Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: svchost.exe, 00000006.00000003.2475292212.0000000004C30000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: svchost.exe, 00000006.00000003.2571026895.0000000004B80000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2552676258.0000000004CA0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2555692425.0000000004CB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: msiexec.pdb source: svchost.exe, 00000006.00000003.1940200063.0000000005760000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: svchost.exe, 00000006.00000003.1848418445.0000000005560000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: svchost.exe, 00000006.00000003.2166044684.0000000004C90000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ssh-agent.pdb source: svchost.exe, 00000006.00000003.2024944125.0000000005760000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: svchost.exe, 00000006.00000003.2309255812.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: svchost.exe, 00000006.00000003.2113410162.0000000003083000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: svchost.exe, 00000006.00000003.2309255812.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: msiexec.pdbGCTL source: svchost.exe, 00000006.00000003.1940200063.0000000005760000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ADelRCP_Exec.pdb source: svchost.exe, 00000006.00000003.2329602484.0000000004B90000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: mavinject32.pdbGCTL source: svchost.exe, 00000006.00000003.2631630815.00000000054F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2637810667.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: PresentationFontCache.pdb source: svchost.exe, 00000006.00000003.1892510705.0000000005750000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3178209395.0000000001470000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: PerceptionSimulationService.pdb source: svchost.exe, 00000006.00000003.1951393165.0000000005760000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: name.exe, 00000001.00000003.1802681812.0000000005030000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000001.00000003.1802504246.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000003.00000003.1821978946.00000000040B0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000003.00000003.1818359606.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000005.00000003.1837727518.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000005.00000003.1840416756.0000000005860000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: svchost.exe, 00000006.00000003.2278103872.0000000004B90000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: MsSense.pdbGCTL source: svchost.exe, 00000006.00000003.1990664261.0000000005760000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: MsSense.pdb source: svchost.exe, 00000006.00000003.1990664261.0000000005760000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: svchost.exe, 00000006.00000003.2608906582.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: svchost.exe, 00000006.00000003.2482581363.0000000004C20000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2496506784.0000000004B80000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: WmiApSrv.pdbGCTL source: svchost.exe, 00000006.00000003.2075539957.0000000005760000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: svchost.exe, 00000006.00000003.2362639087.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Acrobat_SL.pdb((( source: svchost.exe, 00000006.00000003.2178027420.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: locator.pdb source: svchost.exe, 00000006.00000003.1987958380.00000000054F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1978746407.0000000005760000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: svchost.exe, 00000006.00000003.1876194254.00000000056D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ADelRCP_Exec.pdbCC9 source: svchost.exe, 00000006.00000003.2329602484.0000000004B90000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdb source: svchost.exe, 00000006.00000003.2193636183.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Acrobat_SL.pdb source: svchost.exe, 00000006.00000003.2178027420.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: svchost.exe, 00000006.00000003.2571026895.0000000004B80000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2552676258.0000000004CA0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2555692425.0000000004CB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: svchost.exe, 00000006.00000003.2278103872.0000000004B90000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: svchost.exe, 00000006.00000003.2385840703.0000000004CB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: svchost.exe, 00000006.00000003.2166044684.0000000004C90000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: mavinject32.pdb source: svchost.exe, 00000006.00000003.2631630815.00000000054F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2637810667.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: maintenanceservice.pdb source: svchost.exe, 00000006.00000003.1919148439.0000000005760000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: PerceptionSimulationService.pdbGCTL source: svchost.exe, 00000006.00000003.1951393165.0000000005760000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: msdtcexe.pdbGCTL source: svchost.exe, 00000006.00000003.1931405560.0000000005760000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 64BitMAPIBroker.pdb source: svchost.exe, 00000006.00000003.2453584126.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: snmptrap.pdbGCTL source: svchost.exe, 00000006.00000003.2004063369.0000000005760000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: PerfHost.pdbGCTL source: svchost.exe, 00000006.00000003.1964254852.0000000005720000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1975873172.00000000054F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1966295550.0000000005760000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: svchost.exe, 00000006.00000003.2608906582.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: svchost.exe, 00000006.00000003.2432675812.0000000004C30000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: svchost.exe, 00000006.00000003.2362639087.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: svchost.exe, 00000006.00000003.2475292212.0000000004C30000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: PerfHost.pdb source: svchost.exe, 00000006.00000003.1964254852.0000000005720000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1975873172.00000000054F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1966295550.0000000005760000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: svchost.exe, 00000006.00000003.2385840703.0000000004CB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: svchost.exe, 00000006.00000003.2438532554.0000000004CB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: maintenanceservice.pdb` source: svchost.exe, 00000006.00000003.1919148439.0000000005760000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: svchost.exe, 00000006.00000003.2482581363.0000000004C20000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2496506784.0000000004B80000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: name.exe, 00000001.00000003.1802681812.0000000005030000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000001.00000003.1802504246.0000000003DE0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000003.00000003.1821978946.00000000040B0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000003.00000003.1818359606.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000005.00000003.1837727518.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000005.00000003.1840416756.0000000005860000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: TieringEngineService.pdb source: svchost.exe, 00000006.00000003.2032642838.0000000005760000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: TieringEngineService.pdbGCTL source: svchost.exe, 00000006.00000003.2032642838.0000000005760000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: WmiApSrv.pdb source: svchost.exe, 00000006.00000003.2075539957.0000000005760000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: svchost.exe, 00000006.00000003.2393262607.0000000004CB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdbce_T151c2VyQ29udGV4dElkPTUsYSw=p source: svchost.exe, 00000006.00000003.2113410162.0000000003083000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ALG.pdb source: svchost.exe, 00000006.00000003.1854023776.0000000005890000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: msdtcexe.pdb source: svchost.exe, 00000006.00000003.1931405560.0000000005760000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: svchost.exe, 00000006.00000003.1876194254.00000000056D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ALG.pdbGCTL source: svchost.exe, 00000006.00000003.1854023776.0000000005890000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: svchost.exe, 00000006.00000003.1892510705.0000000005750000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000008.00000003.3178209395.0000000001470000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: locator.pdbGCTL source: svchost.exe, 00000006.00000003.1987958380.00000000054F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.1978746407.0000000005760000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: svchost.exe, 00000006.00000003.2193636183.0000000004C40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ssh-agent.pdbX source: svchost.exe, 00000006.00000003.2024944125.0000000005760000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: AppVShNotify.pdb source: svchost.exe, 00000006.00000003.2602531162.0000000004B90000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: snmptrap.pdb source: svchost.exe, 00000006.00000003.2004063369.0000000005760000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: svchost.exe, 00000006.00000003.2438532554.0000000004CB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: svchost.exe, 00000006.00000003.2393262607.0000000004CB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: AppVShNotify.pdbGCTL source: svchost.exe, 00000006.00000003.2602531162.0000000004B90000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBIEnloh source: svchost.exe, 00000006.00000003.2113410162.0000000003083000.00000004.00000020.00020000.00000000.sdmp
Binary contains a suspicious time stamp
Source: msiexec.exe.6.dr Static PE information: 0x88D88F1C [Thu Oct 2 20:16:28 2042 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress, 0_2_0040EBD0
PE file contains an invalid checksum
Source: name.exe.0.dr Static PE information: real checksum: 0xa961f should be: 0x2ffd40
Source: tyRPPK48Mk.exe Static PE information: real checksum: 0xa961f should be: 0x2ffd40
PE file contains sections with non-standard names
Source: default-browser-agent.exe.6.dr Static PE information: section name: .00cfg
Source: default-browser-agent.exe.6.dr Static PE information: section name: .voltbl
Source: firefox.exe.6.dr Static PE information: section name: .00cfg
Source: firefox.exe.6.dr Static PE information: section name: .freestd
Source: firefox.exe.6.dr Static PE information: section name: .retplne
Source: firefox.exe.6.dr Static PE information: section name: .voltbl
Source: GoogleCrashHandler64.exe.6.dr Static PE information: section name: _RDATA
Source: GoogleCrashHandler64.exe.6.dr Static PE information: section name: .gxfg
Source: GoogleCrashHandler64.exe.6.dr Static PE information: section name: .gehcont
Source: GoogleUpdateComRegisterShell64.exe.6.dr Static PE information: section name: _RDATA
Source: GoogleUpdateComRegisterShell64.exe.6.dr Static PE information: section name: .gxfg
Source: GoogleUpdateComRegisterShell64.exe.6.dr Static PE information: section name: .gehcont
Source: maintenanceservice.exe.6.dr Static PE information: section name: .00cfg
Source: maintenanceservice.exe.6.dr Static PE information: section name: .voltbl
Source: maintenanceservice.exe.6.dr Static PE information: section name: _RDATA
Source: minidump-analyzer.exe.6.dr Static PE information: section name: .00cfg
Source: minidump-analyzer.exe.6.dr Static PE information: section name: .voltbl
Source: 117.0.5938.132_chrome_installer.exe.6.dr Static PE information: section name: .00cfg
Source: 117.0.5938.132_chrome_installer.exe.6.dr Static PE information: section name: .retplne
Source: pingsender.exe.6.dr Static PE information: section name: .00cfg
Source: pingsender.exe.6.dr Static PE information: section name: .voltbl
Source: plugin-container.exe.6.dr Static PE information: section name: .00cfg
Source: plugin-container.exe.6.dr Static PE information: section name: .voltbl
Source: private_browsing.exe.6.dr Static PE information: section name: .00cfg
Source: private_browsing.exe.6.dr Static PE information: section name: .voltbl
Source: updater.exe.6.dr Static PE information: section name: .00cfg
Source: updater.exe.6.dr Static PE information: section name: .voltbl
Source: updater.exe.6.dr Static PE information: section name: _RDATA
Source: elevation_service.exe.6.dr Static PE information: section name: .00cfg
Source: elevation_service.exe.6.dr Static PE information: section name: .gxfg
Source: elevation_service.exe.6.dr Static PE information: section name: .retplne
Source: elevation_service.exe.6.dr Static PE information: section name: _RDATA
Source: elevation_service.exe.6.dr Static PE information: section name: malloc_h
Source: elevation_service.exe0.6.dr Static PE information: section name: .00cfg
Source: elevation_service.exe0.6.dr Static PE information: section name: .gxfg
Source: elevation_service.exe0.6.dr Static PE information: section name: .retplne
Source: elevation_service.exe0.6.dr Static PE information: section name: _RDATA
Source: elevation_service.exe0.6.dr Static PE information: section name: malloc_h
Source: maintenanceservice.exe0.6.dr Static PE information: section name: .00cfg
Source: maintenanceservice.exe0.6.dr Static PE information: section name: .voltbl
Source: maintenanceservice.exe0.6.dr Static PE information: section name: _RDATA
Source: msdtc.exe.6.dr Static PE information: section name: .didat
Source: msiexec.exe.6.dr Static PE information: section name: .didat
Source: armsvc.exe.6.dr Static PE information: section name: .didat
Source: alg.exe.6.dr Static PE information: section name: .didat
Source: FXSSVC.exe.6.dr Static PE information: section name: .didat
Source: MsSense.exe.6.dr Static PE information: section name: .didat
Source: unpack200.exe.6.dr Static PE information: section name: .00cfg
Source: Spectrum.exe.6.dr Static PE information: section name: .didat
Source: TieringEngineService.exe.6.dr Static PE information: section name: .didat
Source: vds.exe.6.dr Static PE information: section name: .didat
Source: VSSVC.exe.6.dr Static PE information: section name: .didat
Source: WmiApSrv.exe.6.dr Static PE information: section name: .didat
Source: wmpnetwk.exe.6.dr Static PE information: section name: .didat
Source: SearchIndexer.exe.6.dr Static PE information: section name: .didat
Source: ie_to_edge_stub.exe.6.dr Static PE information: section name: .00cfg
Source: ie_to_edge_stub.exe.6.dr Static PE information: section name: .gxfg
Source: ie_to_edge_stub.exe.6.dr Static PE information: section name: .retplne
Source: ie_to_edge_stub.exe.6.dr Static PE information: section name: _RDATA
Source: cookie_exporter.exe.6.dr Static PE information: section name: .00cfg
Source: cookie_exporter.exe.6.dr Static PE information: section name: .gxfg
Source: cookie_exporter.exe.6.dr Static PE information: section name: .retplne
Source: cookie_exporter.exe.6.dr Static PE information: section name: _RDATA
Source: identity_helper.exe.6.dr Static PE information: section name: .00cfg
Source: identity_helper.exe.6.dr Static PE information: section name: .gxfg
Source: identity_helper.exe.6.dr Static PE information: section name: .retplne
Source: identity_helper.exe.6.dr Static PE information: section name: _RDATA
Source: identity_helper.exe.6.dr Static PE information: section name: malloc_h
Source: setup.exe.6.dr Static PE information: section name: .00cfg
Source: setup.exe.6.dr Static PE information: section name: .gxfg
Source: setup.exe.6.dr Static PE information: section name: .retplne
Source: setup.exe.6.dr Static PE information: section name: LZMADEC
Source: setup.exe.6.dr Static PE information: section name: _RDATA
Source: setup.exe.6.dr Static PE information: section name: malloc_h
Source: msedgewebview2.exe.6.dr Static PE information: section name: .00cfg
Source: msedgewebview2.exe.6.dr Static PE information: section name: .gxfg
Source: msedgewebview2.exe.6.dr Static PE information: section name: .retplne
Source: msedgewebview2.exe.6.dr Static PE information: section name: CPADinfo
Source: msedgewebview2.exe.6.dr Static PE information: section name: LZMADEC
Source: msedgewebview2.exe.6.dr Static PE information: section name: _RDATA
Source: msedgewebview2.exe.6.dr Static PE information: section name: malloc_h
Source: msedge_proxy.exe.6.dr Static PE information: section name: .00cfg
Source: msedge_proxy.exe.6.dr Static PE information: section name: .gxfg
Source: msedge_proxy.exe.6.dr Static PE information: section name: .retplne
Source: msedge_proxy.exe.6.dr Static PE information: section name: _RDATA
Source: msedge_proxy.exe.6.dr Static PE information: section name: malloc_h
Source: msedge_pwa_launcher.exe.6.dr Static PE information: section name: .00cfg
Source: msedge_pwa_launcher.exe.6.dr Static PE information: section name: .gxfg
Source: msedge_pwa_launcher.exe.6.dr Static PE information: section name: .retplne
Source: msedge_pwa_launcher.exe.6.dr Static PE information: section name: LZMADEC
Source: msedge_pwa_launcher.exe.6.dr Static PE information: section name: _RDATA
Source: msedge_pwa_launcher.exe.6.dr Static PE information: section name: malloc_h
Source: notification_click_helper.exe.6.dr Static PE information: section name: .00cfg
Source: notification_click_helper.exe.6.dr Static PE information: section name: .gxfg
Source: notification_click_helper.exe.6.dr Static PE information: section name: .retplne
Source: notification_click_helper.exe.6.dr Static PE information: section name: CPADinfo
Source: notification_click_helper.exe.6.dr Static PE information: section name: _RDATA
Source: notification_click_helper.exe.6.dr Static PE information: section name: malloc_h
Source: pwahelper.exe.6.dr Static PE information: section name: .00cfg
Source: pwahelper.exe.6.dr Static PE information: section name: .gxfg
Source: pwahelper.exe.6.dr Static PE information: section name: .retplne
Source: pwahelper.exe.6.dr Static PE information: section name: _RDATA
Source: pwahelper.exe.6.dr Static PE information: section name: malloc_h
Source: msedge_proxy.exe0.6.dr Static PE information: section name: .00cfg
Source: msedge_proxy.exe0.6.dr Static PE information: section name: .gxfg
Source: msedge_proxy.exe0.6.dr Static PE information: section name: .retplne
Source: msedge_proxy.exe0.6.dr Static PE information: section name: _RDATA
Source: msedge_proxy.exe0.6.dr Static PE information: section name: malloc_h
Source: Acrobat.exe.6.dr Static PE information: section name: .didat
Source: Acrobat.exe.6.dr Static PE information: section name: _RDATA
Source: AcroCEF.exe.6.dr Static PE information: section name: .didat
Source: AcroCEF.exe.6.dr Static PE information: section name: _RDATA
Source: pwahelper.exe0.6.dr Static PE information: section name: .00cfg
Source: pwahelper.exe0.6.dr Static PE information: section name: .gxfg
Source: pwahelper.exe0.6.dr Static PE information: section name: .retplne
Source: pwahelper.exe0.6.dr Static PE information: section name: _RDATA
Source: pwahelper.exe0.6.dr Static PE information: section name: malloc_h
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_00402654 push 8B0000B1h; iretd 0_2_00402659
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_00416CB5 push ecx; ret 0_2_00416CC8
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_00462463 push edi; ret 1_2_00462465
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_00416CB5 push ecx; ret 1_2_00416CC8
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_00462463 push edi; ret 3_2_00462465
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_00416CB5 push ecx; ret 3_2_00416CC8
Source: default-browser-agent.exe.6.dr Static PE information: section name: .reloc entropy: 7.941513660026067
Source: firefox.exe.6.dr Static PE information: section name: .reloc entropy: 7.93887388458026
Source: minidump-analyzer.exe.6.dr Static PE information: section name: .reloc entropy: 7.935440513053074
Source: 117.0.5938.132_chrome_installer.exe.6.dr Static PE information: section name: .reloc entropy: 7.934736259673055
Source: elevation_service.exe.6.dr Static PE information: section name: .reloc entropy: 7.943918524487799
Source: elevation_service.exe0.6.dr Static PE information: section name: .reloc entropy: 7.945924268600776
Source: Aut2exe.exe.6.dr Static PE information: section name: .rsrc entropy: 7.800626389616807
Source: AppVClient.exe.6.dr Static PE information: section name: .reloc entropy: 7.93649060877241
Source: FXSSVC.exe.6.dr Static PE information: section name: .reloc entropy: 7.9422548904612915
Source: SensorDataService.exe.6.dr Static PE information: section name: .reloc entropy: 7.935355895957106
Source: Spectrum.exe.6.dr Static PE information: section name: .reloc entropy: 7.945415728324186
Source: AgentService.exe.6.dr Static PE information: section name: .reloc entropy: 7.937091009432048
Source: vds.exe.6.dr Static PE information: section name: .reloc entropy: 7.941045748846461
Source: VSSVC.exe.6.dr Static PE information: section name: .reloc entropy: 7.939508466333068
Source: wbengine.exe.6.dr Static PE information: section name: .reloc entropy: 7.941253589303184
Source: wmpnetwk.exe.6.dr Static PE information: section name: .reloc entropy: 7.9465794243283545
Source: SearchIndexer.exe.6.dr Static PE information: section name: .reloc entropy: 7.945830998623169
Source: identity_helper.exe.6.dr Static PE information: section name: .reloc entropy: 7.940732812444733
Source: setup.exe.6.dr Static PE information: section name: .reloc entropy: 7.944723894883075
Source: msedgewebview2.exe.6.dr Static PE information: section name: .reloc entropy: 7.936556443377246
Source: msedge_proxy.exe.6.dr Static PE information: section name: .reloc entropy: 7.942258384223362
Source: msedge_pwa_launcher.exe.6.dr Static PE information: section name: .reloc entropy: 7.9462587980306765
Source: notification_click_helper.exe.6.dr Static PE information: section name: .reloc entropy: 7.944006817193669
Source: pwahelper.exe.6.dr Static PE information: section name: .reloc entropy: 7.940882612865116
Source: msedge_proxy.exe0.6.dr Static PE information: section name: .reloc entropy: 7.942246486712946
Source: 7zFM.exe.6.dr Static PE information: section name: .reloc entropy: 7.932115674220289
Source: 7zG.exe.6.dr Static PE information: section name: .reloc entropy: 7.927661955452567
Source: Acrobat.exe.6.dr Static PE information: section name: .reloc entropy: 7.940509411781235
Source: AcroCEF.exe.6.dr Static PE information: section name: .reloc entropy: 7.9375397048497005
Source: pwahelper.exe0.6.dr Static PE information: section name: .reloc entropy: 7.940887545213508

Persistence and Installation Behavior
barindex
Creates files in the system32 config directory
Source: C:\Windows\System32\alg.exe File created: C:\Windows\system32\config\systemprofile\AppData\Roaming\73722fd785394ff7.bin Jump to behavior
Drops executable to a common third party application directory
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Infects executable files (exe, dll, sys, html)
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Windows\System32\wbem\WmiApSrv.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Windows\System32\vds.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Windows\System32\alg.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\7-Zip\7zFM.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Windows\System32\snmptrap.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Windows\System32\Spectrum.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Windows Media Player\wmpnetwk.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Windows\System32\Locator.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\7-Zip\7z.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Windows\System32\AppVClient.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Windows\SysWOW64\perfhost.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\7-Zip\7zG.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Windows\System32\msiexec.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Windows\System32\VSSVC.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Windows\System32\wbengine.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Windows\System32\SearchIndexer.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Windows\System32\TieringEngineService.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Windows\System32\AgentService.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\7-Zip\Uninstall.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Windows\System32\FXSSVC.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Windows\System32\OpenSSH\ssh-agent.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe System file written: C:\Windows\System32\sppsvc.exe
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Windows\System32\SensorDataService.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Windows\System32\msdtc.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Drops PE files
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Windows\System32\vds.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Windows\System32\snmptrap.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Windows\System32\Spectrum.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\Windows Media Player\wmpnetwk.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Windows\System32\Locator.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\7-Zip\7z.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Windows\System32\AppVClient.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Windows\SysWOW64\perfhost.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\7-Zip\7zG.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Windows\System32\msiexec.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to dropped file
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe File created: C:\Users\user\AppData\Local\directory\name.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\Mozilla Firefox\firefox.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Windows\System32\TieringEngineService.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\Mozilla Firefox\updater.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\AutoIt3\Au3Check.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\7-Zip\Uninstall.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Windows\System32\FXSSVC.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe File created: C:\Windows\System32\sppsvc.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Windows\System32\SensorDataService.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Windows\System32\msdtc.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Windows\System32\wbem\WmiApSrv.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Windows\System32\alg.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\7-Zip\7zFM.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Windows\System32\VSSVC.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Windows\System32\wbengine.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Windows\System32\SearchIndexer.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\AutoIt3\Au3Info.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Windows\System32\AgentService.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Windows\System32\OpenSSH\ssh-agent.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Windows\System32\snmptrap.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Windows\System32\Spectrum.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Windows\System32\Locator.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Windows\System32\AgentService.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Windows\System32\VSSVC.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Windows\System32\wbengine.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Windows\System32\wbem\WmiApSrv.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Windows\System32\SearchIndexer.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Windows\System32\AppVClient.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Windows\System32\FXSSVC.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Windows\System32\TieringEngineService.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Windows\System32\vds.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Windows\System32\OpenSSH\ssh-agent.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Windows\System32\alg.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Windows\SysWOW64\perfhost.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Windows\System32\msiexec.exe Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe File created: C:\Windows\System32\sppsvc.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Windows\System32\SensorDataService.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Windows\System32\msdtc.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe Jump to dropped file

Boot Survival
barindex
Drops VBS files to the startup folder
Source: C:\Users\user\AppData\Local\directory\name.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\AppData\Local\directory\name.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\AppData\Local\directory\name.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Creates files inside the volume driver (system volume information)
Source: C:\Windows\System32\TieringEngineService.exe File created: C:\System Volume Information\Heat\
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 0_2_0047A330
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_00434418
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 1_2_0047A330
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, 1_2_00434418
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 3_2_0047A330
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, 3_2_00434418
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\directory\name.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Contains functionality to behave differently if execute on a Russian/Kazak computer
Source: C:\Windows\System32\AppVClient.exe Code function: 12_2_005352A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 12_2_005352A0
Source: C:\Windows\System32\FXSSVC.exe Code function: 15_2_009852A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 15_2_009852A0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Code function: 19_2_01A352A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 19_2_01A352A0
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\AppData\Local\directory\name.exe API/Special instruction interceptor: Address: 4C1025C
Source: C:\Users\user\AppData\Local\directory\name.exe API/Special instruction interceptor: Address: 4CE62A4
Source: C:\Users\user\AppData\Local\directory\name.exe API/Special instruction interceptor: Address: 4CD9264
Source: C:\Users\user\AppData\Local\directory\name.exe API/Special instruction interceptor: Address: 4C1728C
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\svchost.exe Window / User API: threadDelayed 1996 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Window / User API: threadDelayed 6864 Jump to behavior
Source: C:\Windows\System32\msdtc.exe Window / User API: threadDelayed 488
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\Windows Media Player\wmpnetwk.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\7-Zip\7z.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\7-Zip\7zG.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Windows\System32\msiexec.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\firefox.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\updater.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Dropped PE file which has not been started: C:\Windows\System32\sppsvc.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Windows\System32\wbem\WmiApSrv.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\7-Zip\7zFM.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Windows\System32\VSSVC.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Windows\System32\SearchIndexer.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe Jump to dropped file
Found evasive API chain (date check)
Source: C:\Users\user\AppData\Local\directory\name.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found evasive API chain checking for process token information
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\FXSSVC.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\AppVClient.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe API coverage: 4.0 %
Source: C:\Users\user\AppData\Local\directory\name.exe API coverage: 3.7 %
Source: C:\Users\user\AppData\Local\directory\name.exe API coverage: 3.6 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\svchost.exe TID: 4956 Thread sleep count: 1996 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 4956 Thread sleep time: -5988000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7080 Thread sleep time: -510000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 4956 Thread sleep count: 6864 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 4956 Thread sleep time: -20592000s >= -30000s Jump to behavior
Source: C:\Windows\System32\alg.exe TID: 5780 Thread sleep time: -150000s >= -30000s Jump to behavior
Source: C:\Windows\System32\alg.exe TID: 7028 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe TID: 7492 Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\msdtc.exe TID: 7720 Thread sleep count: 488 > 30
Source: C:\Windows\System32\msdtc.exe TID: 7720 Thread sleep time: -48800s >= -30000s
Source: C:\Windows\System32\msdtc.exe TID: 7692 Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe TID: 7912 Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_00452492
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00442886
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_004788BD
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose, 0_2_004339B6
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose, 0_2_0045CAFA
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00431A86
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 0_2_0044BD27
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_0045DE8F FindFirstFileW,FindClose, 0_2_0045DE8F
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_0044BF8B
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose, 1_2_00452492
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 1_2_00442886
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 1_2_004788BD
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose, 1_2_004339B6
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose, 1_2_0045CAFA
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 1_2_00431A86
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 1_2_0044BD27
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_0045DE8F FindFirstFileW,FindClose, 1_2_0045DE8F
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, 1_2_0044BF8B
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose, 3_2_00452492
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 3_2_00442886
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 3_2_004788BD
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose, 3_2_004339B6
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose, 3_2_0045CAFA
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 3_2_00431A86
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 3_2_0044BD27
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_0045DE8F FindFirstFileW,FindClose, 3_2_0045DE8F
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, 3_2_0044BF8B
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary, 0_2_0040E500
Source: C:\Windows\System32\alg.exe Thread delayed: delay time: 60000 Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Thread delayed: delay time: 60000
Source: C:\Windows\System32\msdtc.exe Thread delayed: delay time: 60000
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe Thread delayed: delay time: 60000
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Documents and Settings\user\AppData\Local\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\ Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\Cache\ Jump to behavior
Source: Spectrum.exe, 0000001E.00000003.2022230753.00000000005F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: Spectrum.exe, 0000001E.00000003.2022230753.00000000005F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Drivertion Infrastructure Driver
Source: Spectrum.exe, 0000001E.00000003.2022230753.00000000005F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: alg.exe, 00000008.00000003.2431200193.0000000000573000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.1942758358.0000000000573000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.1935362929.0000000000573000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2644014392.0000000000573000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2250815667.0000000000573000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2458126956.0000000000573000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2293661873.0000000000573000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.1971647597.0000000000573000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.1957305293.0000000000573000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.1890190874.0000000000573000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000008.00000003.2314296251.0000000000573000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Spectrum.exe, 0000001E.00000003.2022230753.00000000005F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware VMCI Bus Devicesdevicedesc%;VMware VMCI Bus Device
Source: Spectrum.exe, 0000001E.00000003.2022230753.00000000005F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: NECVMWar VMware SATA CD00l
Source: Spectrum.exe, 0000001E.00000003.2022230753.00000000005F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: `SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\directory\name.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\directory\name.exe API call chain: ExitProcess graph end node
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Process information queried: ProcessInformation
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_0045A370 BlockInput, 0_2_0045A370
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW, 0_2_0040D590
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress, 0_2_0040EBD0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_0493B288 mov eax, dword ptr fs:[00000030h] 0_2_0493B288
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_0493B2E8 mov eax, dword ptr fs:[00000030h] 0_2_0493B2E8
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_04939C38 mov eax, dword ptr fs:[00000030h] 0_2_04939C38
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_04C104C8 mov eax, dword ptr fs:[00000030h] 1_2_04C104C8
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_04C10528 mov eax, dword ptr fs:[00000030h] 1_2_04C10528
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_04C0EE78 mov eax, dword ptr fs:[00000030h] 1_2_04C0EE78
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_04CE6570 mov eax, dword ptr fs:[00000030h] 3_2_04CE6570
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_04CE6510 mov eax, dword ptr fs:[00000030h] 3_2_04CE6510
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_04CE4EC0 mov eax, dword ptr fs:[00000030h] 3_2_04CE4EC0
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 5_2_04CD94D0 mov eax, dword ptr fs:[00000030h] 5_2_04CD94D0
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 5_2_04CD7E80 mov eax, dword ptr fs:[00000030h] 5_2_04CD7E80
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 5_2_04CD9530 mov eax, dword ptr fs:[00000030h] 5_2_04CD9530
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 18_2_04C17558 mov eax, dword ptr fs:[00000030h] 18_2_04C17558
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 18_2_04C174F8 mov eax, dword ptr fs:[00000030h] 18_2_04C174F8
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 18_2_04C15EA8 mov eax, dword ptr fs:[00000030h] 18_2_04C15EA8
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_004238DA __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, 0_2_004238DA
Enables debug privileges
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Process token adjusted: Debug
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Process token adjusted: Debug
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_0041F250 SetUnhandledExceptionFilter, 0_2_0041F250
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0041A208
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00417DAA
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_0041F250 SetUnhandledExceptionFilter, 1_2_0041F250
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_0041A208
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00417DAA
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_0041F250 SetUnhandledExceptionFilter, 3_2_0041F250
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_0041A208
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00417DAA

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 3.254.94.185 80 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 204.10.160.212 6622 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 3.94.10.34 80 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 34.246.200.160 80 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 172.234.222.143 80 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 18.208.156.248 80 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 34.211.97.45 80 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 208.100.26.245 80 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 35.164.78.200 80 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 165.160.13.20 80 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 44.213.104.86 80 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 44.221.84.105 80 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 85.214.228.140 80 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 54.244.188.177 80 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 13.251.16.150 80 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 47.129.31.212 80 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 82.112.184.197 80 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 18.141.10.107 80 Jump to behavior
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe NtQuerySystemInformation: Indirect: 0x9B8462
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe NtOpenKeyEx: Indirect: 0x140077B9B
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe NtQueryValueKey: Indirect: 0x140077C9F
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe NtClose: Indirect: 0x140077E81
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe NtQuerySystemInformation: Indirect: 0xB98462
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe NtAdjustPrivilegesToken: Indirect: 0x9B864C
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe NtAdjustPrivilegesToken: Indirect: 0xB9864C
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\directory\name.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: AEF008 Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 3EB008
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_00436CD7 LogonUserW, 0_2_00436CD7
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW, 0_2_0040D590
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_00434418
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_0043333C __wcsicoll,mouse_event,__wcsicoll,mouse_event, 0_2_0043333C
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\directory\name.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\tyRPPK48Mk.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\directory\name.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\directory\name.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"
Source: C:\Users\user\AppData\Local\directory\name.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\directory\name.exe"
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_00446124 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 0_2_00446124
Source: name.exe Binary or memory string: Shell_TrayWnd
Source: tyRPPK48Mk.exe, 00000000.00000002.1784996228.0000000000482000.00000002.00000001.01000000.00000003.sdmp, tyRPPK48Mk.exe, 00000000.00000000.1770251172.0000000000482000.00000002.00000001.01000000.00000003.sdmp, tyRPPK48Mk.exe, 00000000.00000003.1783849025.00000000058B0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: JDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\alg.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\AppVClient.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\FXSSVC.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\FXSSVC.exe Queries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\Queue\TSTDA9F.tmp VolumeInformation
Source: C:\Windows\System32\FXSSVC.exe Queries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\TSTDAAF.tmp VolumeInformation
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msdtc.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\Locator.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\SensorDataService.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\snmptrap.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\Spectrum.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\TieringEngineService.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\AgentService.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\vds.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\wbengine.exe Queries volume information: C:\ VolumeInformation
Queries time zone information
Source: C:\Windows\System32\TieringEngineService.exe Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation Bias
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_004720DB GetLocalTime,__swprintf,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW, 0_2_004720DB
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_00472C3F GetUserNameW, 1_2_00472C3F
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_0041E364 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte, 0_2_0041E364
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary, 0_2_0040E500
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 1.2.name.exe.3c50000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.name.exe.3d80000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.name.exe.3d80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.name.exe.39b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.name.exe.3d80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.name.exe.3d80000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.name.exe.3c50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.name.exe.39b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.1824115002.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1806914004.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.1962839216.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.1958069943.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1848783066.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.1959006729.0000000000822000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: name.exe PID: 4420, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: name.exe PID: 2084, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: name.exe PID: 6908, type: MEMORYSTR
OS version to string mapping found (often used in BOTs)
Source: name.exe Binary or memory string: WIN_XP
Source: name.exe, 00000005.00000002.1842744135.0000000000482000.00000002.00000001.01000000.00000004.sdmp Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----&
Source: name.exe Binary or memory string: WIN_XPe
Source: name.exe Binary or memory string: WIN_VISTA
Source: name.exe Binary or memory string: WIN_7
Source: name.exe Binary or memory string: WIN_8

Remote Access Functionality
barindex
Detected Remcos RAT
Source: C:\Windows\SysWOW64\svchost.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-98KSNN Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-98KSNN
Yara detected Remcos RAT
Source: Yara match File source: 1.2.name.exe.3c50000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.name.exe.3d80000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.name.exe.3d80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.name.exe.39b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.name.exe.3d80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.name.exe.3d80000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.name.exe.3c50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.name.exe.39b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.1824115002.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1806914004.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.1962839216.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.1958069943.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1848783066.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.1959006729.0000000000822000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: name.exe PID: 4420, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: name.exe PID: 2084, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: name.exe PID: 6908, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_004652BE socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket, 0_2_004652BE
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_00476619 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 0_2_00476619
Source: C:\Users\user\Desktop\tyRPPK48Mk.exe Code function: 0_2_0046CEF3 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject, 0_2_0046CEF3
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_004652BE socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket, 1_2_004652BE
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_00476619 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 1_2_00476619
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 1_2_0046CEF3 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject, 1_2_0046CEF3
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_004652BE socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket, 3_2_004652BE
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_00476619 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 3_2_00476619
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 3_2_0046CEF3 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject, 3_2_0046CEF3
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1529033 Sample: tyRPPK48Mk.exe Startdate: 08/10/2024 Architecture: WINDOWS Score: 100 60 zyiexezl.biz 2->60 62 zrlssa.biz 2->62 64 126 other IPs or domains 2->64 78 Suricata IDS alerts for network traffic 2->78 80 Malicious sample detected (through community Yara rule) 2->80 82 Antivirus detection for dropped file 2->82 84 11 other signatures 2->84 10 tyRPPK48Mk.exe 3 2->10         started        13 wscript.exe 2->13         started        16 elevation_service.exe 2->16         started        18 19 other processes 2->18 signatures3 process4 dnsIp5 48 C:\Users\user\AppData\Local\...\name.exe, PE32 10->48 dropped 21 name.exe 1 10->21         started        106 Windows Scripting host queries suspicious COM object (likely to drop second stage) 13->106 25 name.exe 13->25         started        50 C:\Windows\System32\sppsvc.exe, PE32+ 16->50 dropped 108 Infects executable files (exe, dll, sys, html) 16->108 110 Found direct / indirect Syscall (likely to bypass EDR) 16->110 66 165.160.15.20, 49937, 80 CSCUS United States 18->66 68 172.234.222.138, 49843, 49851, 50236 AKAMAI-ASN1EU United States 18->68 112 Creates files inside the volume driver (system volume information) 18->112 114 Creates files in the system32 config directory 18->114 116 Contains functionality to behave differently if execute on a Russian/Kazak computer 18->116 file6 signatures7 process8 file9 46 C:\Users\user\AppData\Roaming\...\name.vbs, data 21->46 dropped 90 Drops VBS files to the startup folder 21->90 92 Switches to a custom stack to bypass stack traces 21->92 27 name.exe 21->27         started        29 armsvc.exe 21->29         started        31 svchost.exe 21->31         started        94 Writes to foreign memory regions 25->94 96 Maps a DLL or memory area into another process 25->96 33 svchost.exe 25->33         started        signatures10 process11 signatures12 36 name.exe 27->36         started        39 svchost.exe 27->39         started        76 Detected Remcos RAT 33->76 process13 signatures14 86 Writes to foreign memory regions 36->86 88 Maps a DLL or memory area into another process 36->88 41 svchost.exe 3 1 36->41         started        process15 dnsIp16 70 204.10.160.212, 49730, 49733, 49738 UNREAL-SERVERSUS Canada 41->70 72 dlynankz.biz 85.214.228.140, 50063, 50132, 80 STRATOSTRATOAGDE Germany 41->72 74 17 other IPs or domains 41->74 52 C:\Windows\System32\wbengine.exe, PE32+ 41->52 dropped 54 C:\Windows\System32\wbem\WmiApSrv.exe, PE32+ 41->54 dropped 56 C:\Windows\System32\vds.exe, PE32+ 41->56 dropped 58 141 other malicious files 41->58 dropped 98 System process connects to network (likely due to code injection or exploit) 41->98 100 Detected Remcos RAT 41->100 102 Drops executable to a common third party application directory 41->102 104 Infects executable files (exe, dll, sys, html) 41->104 file17 signatures18
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
165.160.15.20
 unknown United States
19574 CSCUS false
3.254.94.185
 uaafd.biz United States
16509 AMAZON-02US true
204.10.160.212
 unknown Canada
64236 UNREAL-SERVERSUS true
3.94.10.34
 ytctnunms.biz United States
14618 AMAZON-AESUS true
34.246.200.160
 tbjrpv.biz United States
16509 AMAZON-02US true
172.234.222.143
 przvgke.biz United States
20940 AKAMAI-ASN1EU true
18.208.156.248
 kcyvxytog.biz United States
14618 AMAZON-AESUS true
34.211.97.45
 apzzls.biz United States
16509 AMAZON-02US true
208.100.26.245
 yunalwv.biz United States
32748 STEADFASTUS true
35.164.78.200
 sctmku.biz United States
16509 AMAZON-02US true
172.234.222.138
 unknown United States
20940 AKAMAI-ASN1EU false
165.160.13.20
 myups.biz United States
19574 CSCUS true
44.213.104.86
 ereplfx.biz United States
14618 AMAZON-AESUS true
72.52.178.23
 wxgzshna.biz United States
32244 LIQUIDWEBUS false
44.221.84.105
 bumxkqgxu.biz United States
14618 AMAZON-AESUS true
85.214.228.140
 dlynankz.biz Germany
6724 STRATOSTRATOAGDE true
54.244.188.177
 nlscndwp.biz United States
16509 AMAZON-02US true
13.251.16.150
 xnxvnn.biz United States
16509 AMAZON-02US true
47.129.31.212
 qncdaagct.biz Canada
34533 ESAMARA-ASRU true
82.112.184.197
 vjaxhpbji.biz Russian Federation
43267 FIRST_LINE-SP_FOR_B2B_CUSTOMERSUPSTREAMSRU true
18.141.10.107
 ssbzmoy.biz United States
16509 AMAZON-02US true

Contacted Domains

Name IP Active
uaafd.biz 3.254.94.185 true
xnxvnn.biz 13.251.16.150 true
nlscndwp.biz 54.244.188.177 true
vjaxhpbji.biz 82.112.184.197 true
ytctnunms.biz 3.94.10.34 true
qncdaagct.biz 47.129.31.212 true
ctdtgwag.biz 3.94.10.34 true
tbjrpv.biz 34.246.200.160 true
kcyvxytog.biz 18.208.156.248 true
ereplfx.biz 44.213.104.86 true
apzzls.biz 34.211.97.45 true
sxmiywsfv.biz 13.251.16.150 true
pgfsvwx.biz 18.208.156.248 true
przvgke.biz 172.234.222.143 true
ocsvqjg.biz 3.254.94.185 true
ecxbwt.biz 54.244.188.177 true
bghjpy.biz 34.211.97.45 true
damcprvgv.biz 18.208.156.248 true
gnqgo.biz 18.208.156.248 true
tltxn.biz 18.208.156.248 true
deoci.biz 18.208.156.248 true
krnsmlmvd.biz 47.129.31.212 true
uevrpr.biz 44.213.104.86 true
hagujcj.biz 18.208.156.248 true
bumxkqgxu.biz 44.221.84.105 true
yhqqc.biz 34.211.97.45 true
ltpqsnu.biz 18.208.156.248 true
sctmku.biz 35.164.78.200 true
gcedd.biz 13.251.16.150 true
wxgzshna.biz 72.52.178.23 true
oshhkdluh.biz 54.244.188.177 true
opowhhece.biz 18.208.156.248 true
pectx.biz 44.213.104.86 true
jwkoeoqns.biz 18.208.156.248 true
jpskm.biz 34.211.97.45 true
cjvgcl.biz 18.208.156.248 true
ifsaia.biz 13.251.16.150 true
rynmcq.biz 54.244.188.177 true
fjumtfnz.biz 34.211.97.45 true
dyjdrp.biz 54.244.188.177 true
ypituyqsq.biz 3.94.10.34 true
tnevuluw.biz 35.164.78.200 true
znwbniskf.biz 47.129.31.212 true
ijnmvqa.biz 35.164.78.200 true
saytjshyf.biz 44.221.84.105 true
rrqafepng.biz 47.129.31.212 true
aatcwo.biz 47.129.31.212 true
uphca.biz 44.221.84.105 true
htwqzczce.biz 172.234.222.143 true
xyrgy.biz 18.208.156.248 true
banwyw.biz 44.221.84.105 true
myups.biz 165.160.13.20 true
pwlqfu.biz 34.246.200.160 true
zyiexezl.biz 18.208.156.248 true
hlzfuyy.biz 34.211.97.45 true
ssbzmoy.biz 18.141.10.107 true
knjghuig.biz 18.141.10.107 true
yunalwv.biz 208.100.26.245 true
brsua.biz 3.254.94.185 true
mgmsclkyu.biz 34.246.200.160 true
cpclnad.biz 44.221.84.105 true
ptrim.biz 18.141.10.107 true
ihcnogskt.biz 35.164.78.200 true
qpnczch.biz 44.213.104.86 true
mnjmhp.biz 47.129.31.212 true
acwjcqqv.biz 18.141.10.107 true
zrlssa.biz 44.221.84.105 true
pywolwnvd.biz 54.244.188.177 true
mjheo.biz 44.221.84.105 true
lrxdmhrr.biz 54.244.188.177 true
vrrazpdh.biz 34.211.97.45 true
cikivjto.biz 44.213.104.86 true
fgajqjyhr.biz 34.211.97.45 true
hehckyov.biz 44.221.84.105 true
kkqypycm.biz 18.141.10.107 true
bzkysubds.biz 3.94.10.34 true
xlfhhhm.biz 47.129.31.212 true
warkcdu.biz 18.141.10.107 true
npukfztj.biz 44.221.84.105 true
dwrqljrr.biz 54.244.188.177 true
gytujflc.biz 208.100.26.245 true
gvijgjwkh.biz 3.94.10.34 true
sewlqwcd.biz 44.221.84.105 true
vnvbt.biz 44.213.104.86 true
nwdnxrd.biz 54.244.188.177 true
qvuhsaqa.biz 54.244.188.177 true
iuzpxe.biz 13.251.16.150 true
nqwjmb.biz 35.164.78.200 true
wllvnzb.biz 18.141.10.107 true
kvbjaur.biz 54.244.188.177 true
napws.biz 35.164.78.200 true
cvgrf.biz 54.244.188.177 true
lpuegx.biz 82.112.184.197 true
vcddkls.biz 18.141.10.107 true
wluwplyh.biz 18.141.10.107 true
vyome.biz 44.213.104.86 true
dlynankz.biz 85.214.228.140 true
reczwga.biz 44.221.84.105 true
xccjj.biz 44.213.104.86 true
jifai.biz 44.221.84.105 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://uaafd.biz/k true
    http://qpnczch.biz/kitlgdtf true
      http://ftxlah.biz/h true
        http://uevrpr.biz/buyo true
          http://ocsvqjg.biz/ldybnpdmgmce true
            http://napws.biz/djbusjuctjl true
              http://esuzf.biz/aaxb true
                http://bzkysubds.biz/jnrrefrcvyuil true
                  http://npukfztj.biz/vquxanduoru true
                    http://htwqzczce.biz/rnkfruqdkxfgjfwn true
                      http://mnjmhp.biz/kjomliy true
                        http://ctdtgwag.biz/dumoc true
                          http://tnevuluw.biz/ejbrogxxii true
                            http://lpuegx.biz/ubxmipvolouhvx true
                              http://ssbzmoy.biz/aky true
                                http://vgypotwp.biz/owal true
                                  http://zyiexezl.biz/oedtv true
                                    http://jpskm.biz/qgorjabxoa true
                                      http://ytctnunms.biz/ae true
                                        http://brsua.biz/ieicusmwh true
                                          http://qaynky.biz/slnbsufsiblm true
                                            http://tbjrpv.biz/suofoicot true
                                              http://saytjshyf.biz/oxhtjjhhtrbh true
                                                http://nwdnxrd.biz/miwimxtpafcu true
                                                  http://zgapiej.biz/lnsmaljo true
                                                    http://sctmku.biz/gbk true
                                                      http://giliplg.biz/hxjrtfgka true
                                                        http://myups.biz/lldlbyoesphcqdkf true
                                                          http://oshhkdluh.biz/mitdmmperwbt true
                                                            http://myups.biz/uwmqwimibwapay true
                                                              http://knjghuig.biz/ibdxbfqrqufvuu true
                                                                http://vrrazpdh.biz/jweaqenrkqbo true
                                                                  http://rffxu.biz/ugprc true
                                                                    http://nwdnxrd.biz/suayd true
                                                                      http://dyjdrp.biz/cftuaqt true
                                                                        http://hlzfuyy.biz/wibvfidtxe true
                                                                          http://gytujflc.biz/rgqdiitmqxim true
                                                                            http://rrqafepng.biz/ohyfmaqfmywges true
                                                                              http://sctmku.biz/vrswaovbjfo true
                                                                                http://xccjj.biz/quoefwkpxb true
                                                                                  http://vjaxhpbji.biz/liar true
                                                                                    http://cvgrf.biz/elpwpt true
                                                                                      http://gytujflc.biz/frmapjmyi true
                                                                                        http://hehckyov.biz/gkelppguisaups true
                                                                                          http://jlqltsjvh.biz/ekoddjskuurntxll true
                                                                                            http://gnqgo.biz/jtyrnesofmrmc true
                                                                                              http://kkqypycm.biz/qk true
                                                                                                http://qvuhsaqa.biz/koqlarnbbmmihcqk true
                                                                                                  http://kcyvxytog.biz/nwtkmxcykx true
                                                                                                    http://bzkysubds.biz/tqw true
                                                                                                      http://sxmiywsfv.biz/ncst true
                                                                                                        http://jifai.biz/ewnr true
                                                                                                          http://pectx.biz/ylviltyasno true
                                                                                                            http://wxgzshna.biz/ghy false
                                                                                                              http://banwyw.biz/pfxv true
                                                                                                                http://ecxbwt.biz/yefflviaj true
                                                                                                                  http://jlqltsjvh.biz/og true
                                                                                                                    http://tltxn.biz/dwgnvhk true
                                                                                                                      http://uaafd.biz/flkouthsl true
                                                                                                                        http://apzzls.biz/octb true
                                                                                                                          http://vyome.biz/sopra true
                                                                                                                            http://yhqqc.biz/jqu true
                                                                                                                              http://jpskm.biz/phssgedc true
                                                                                                                                http://lpuegx.biz/ipnvn true
                                                                                                                                  http://warkcdu.biz/hhgppons true
                                                                                                                                    http://vcddkls.biz/feejetjxxjumqw true
                                                                                                                                      http://wluwplyh.biz/vux true
                                                                                                                                        http://cvgrf.biz/tacyehq true
                                                                                                                                          http://knjghuig.biz/iejxbuficdbc true
                                                                                                                                            http://vgypotwp.biz/ftgaslpyp true
                                                                                                                                              http://eufxebus.biz/tywwnha true
                                                                                                                                                http://cvgrf.biz/hbj true
                                                                                                                                                  http://opowhhece.biz/jkmxqkwmcvmo true
                                                                                                                                                    http://damcprvgv.biz/dapmb true
                                                                                                                                                      http://kcyvxytog.biz/utmatjvdttvmj true
                                                                                                                                                        http://wluwplyh.biz/fhni true
                                                                                                                                                          http://pwlqfu.biz/kyoprhcrfsm true