Windows Analysis Report
PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe

Overview

General Information

Sample name: PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe
Analysis ID: 1530636
MD5: 2940b15a52c0aaa97db24e4043ffffcf
SHA1: fa29bd64c6fd9ca4811db98aa8608691cb0324c3
SHA256: 6cb077ac45cc280c1ace4f4b7f7ec0feb23487074ac50e0113ade7e9509dbb85
Tags: exeuser-lowmal3
Infos:

Detection

PureLog Stealer, RedLine
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected PureLog Stealer
Yara detected RedLine Stealer
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to behave differently if execute on a Russian/Kazak computer
Contains functionality to detect sleep reduction / modifications
Creates files in the system32 config directory
Creates files inside the volume driver (system volume information)
Drops executable to a common third party application directory
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Infects executable files (exe, dll, sys, html)
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries random domain names (often used to prevent blacklisting and sinkholes)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Connects to many different domains
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to detect virtual machines (SLDT)
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Enables driver privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Queries time zone information
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Uncommon Svchost Parent Process
Spawns drivers
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe Avira: detection malicious, Label: W32/Infector.Gen
Found malware configuration
Source: 6.2.Native_Redline_BTC.exe.123eb188.3.raw.unpack Malware Configuration Extractor: RedLine {"C2 url": ["212.162.149.53:2049"], "Bot Id": "FOZ", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
Multi AV Scanner detection for domain / URL
Source: uaafd.biz Virustotal: Detection: 10% Perma Link
Source: vjaxhpbji.biz Virustotal: Detection: 11% Perma Link
Source: pywolwnvd.biz Virustotal: Detection: 12% Perma Link
Source: vrrazpdh.biz Virustotal: Detection: 10% Perma Link
Source: xlfhhhm.biz Virustotal: Detection: 14% Perma Link
Source: ctdtgwag.biz Virustotal: Detection: 10% Perma Link
Source: tbjrpv.biz Virustotal: Detection: 12% Perma Link
Source: hehckyov.biz Virustotal: Detection: 11% Perma Link
Source: warkcdu.biz Virustotal: Detection: 10% Perma Link
Source: lrxdmhrr.biz Virustotal: Detection: 13% Perma Link
Source: ytctnunms.biz Virustotal: Detection: 11% Perma Link
Source: przvgke.biz Virustotal: Detection: 14% Perma Link
Source: npukfztj.biz Virustotal: Detection: 12% Perma Link
Source: dwrqljrr.biz Virustotal: Detection: 12% Perma Link
Source: sxmiywsfv.biz Virustotal: Detection: 13% Perma Link
Source: ecxbwt.biz Virustotal: Detection: 9% Perma Link
Source: bghjpy.biz Virustotal: Detection: 12% Perma Link
Source: damcprvgv.biz Virustotal: Detection: 11% Perma Link
Source: gytujflc.biz Virustotal: Detection: 14% Perma Link
Source: gvijgjwkh.biz Virustotal: Detection: 12% Perma Link
Source: deoci.biz Virustotal: Detection: 13% Perma Link
Source: gnqgo.biz Virustotal: Detection: 9% Perma Link
Source: ocsvqjg.biz Virustotal: Detection: 12% Perma Link
Source: cvgrf.biz Virustotal: Detection: 12% Perma Link
Source: wllvnzb.biz Virustotal: Detection: 12% Perma Link
Source: lpuegx.biz Virustotal: Detection: 12% Perma Link
Source: iuzpxe.biz Virustotal: Detection: 12% Perma Link
Source: bumxkqgxu.biz Virustotal: Detection: 10% Perma Link
Source: vyome.biz Virustotal: Detection: 10% Perma Link
Source: yhqqc.biz Virustotal: Detection: 10% Perma Link
Source: reczwga.biz Virustotal: Detection: 9% Perma Link
Source: nqwjmb.biz Virustotal: Detection: 12% Perma Link
Source: xccjj.biz Virustotal: Detection: 11% Perma Link
Source: dlynankz.biz Virustotal: Detection: 12% Perma Link
Source: vcddkls.biz Virustotal: Detection: 12% Perma Link
Source: gcedd.biz Virustotal: Detection: 9% Perma Link
Multi AV Scanner detection for submitted file
Source: PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe ReversingLabs: Detection: 31%
Source: PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Virustotal: Detection: 34% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: microsofts.exe, 00000005.00000003.2814742901.00000000008D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: svchost.exe, 00000004.00000003.2117161798.0000000005820000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: microsofts.exe, 00000005.00000003.2894889964.00000000008D0000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000005.00000003.2906588524.0000000000590000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000005.00000003.2891835295.00000000008D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: msiexec.pdb source: microsofts.exe, 00000005.00000003.2261668273.0000000007250000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: microsofts.exe, 00000005.00000003.2480516166.0000000006940000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ssh-agent.pdb source: microsofts.exe, 00000005.00000003.2334730630.0000000007250000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: AppVClient.pdb source: microsofts.exe, 00000005.00000003.2165441366.0000000005000000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: microsofts.exe, 00000005.00000003.2617403766.0000000006930000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: microsofts.exe, 00000005.00000003.2617403766.0000000006930000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: msiexec.pdbGCTL source: microsofts.exe, 00000005.00000003.2261668273.0000000007250000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ADelRCP_Exec.pdb source: microsofts.exe, 00000005.00000003.2640650319.0000000006930000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: mavinject32.pdbGCTL source: microsofts.exe, 00000005.00000003.2954719715.0000000004F90000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000005.00000003.2958576638.00000000008C0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: PresentationFontCache.pdb source: microsofts.exe, 00000005.00000003.2212014906.0000000006960000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: PerceptionSimulationService.pdb source: microsofts.exe, 00000005.00000003.2272521083.0000000007250000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: _.pdb source: microsofts.exe, 00000005.00000003.2119948725.00000000006E3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe, 00000000.00000003.2074787470.0000000004170000.00000004.00001000.00020000.00000000.sdmp, PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe, 00000000.00000003.2074250734.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe, 00000003.00000003.2102593621.0000000003DF0000.00000004.00001000.00020000.00000000.sdmp, PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe, 00000003.00000003.2103800748.0000000003F90000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: microsofts.exe, 00000005.00000003.2523798561.0000000006930000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: MsSense.pdbGCTL source: microsofts.exe, 00000005.00000003.2299207011.0000000007250000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdbAAAGCTL source: microsofts.exe, 00000005.00000003.2806405530.00000000008D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: MsSense.pdb source: microsofts.exe, 00000005.00000003.2299207011.0000000007250000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: microsofts.exe, 00000005.00000003.2940771463.00000000008C0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: microsofts.exe, 00000005.00000003.2837407835.0000000000590000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000005.00000003.2825064173.00000000008D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: WmiApSrv.pdbGCTL source: microsofts.exe, 00000005.00000003.2391093241.0000000007250000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: microsofts.exe, 00000005.00000003.2675621901.0000000006930000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Acrobat_SL.pdb((( source: microsofts.exe, 00000005.00000003.2494651732.0000000006940000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: locator.pdb source: microsofts.exe, 00000005.00000003.2289813880.0000000007250000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000005.00000003.2295639551.0000000006910000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: microsofts.exe, 00000005.00000003.2186596905.0000000006950000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ADelRCP_Exec.pdbCC9 source: microsofts.exe, 00000005.00000003.2640650319.0000000006930000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdb source: microsofts.exe, 00000005.00000003.2505449143.0000000006940000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Acrobat_SL.pdb source: microsofts.exe, 00000005.00000003.2494651732.0000000006940000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: microsofts.exe, 00000005.00000003.2894889964.00000000008D0000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000005.00000003.2906588524.0000000000590000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000005.00000003.2891835295.00000000008D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: microsofts.exe, 00000005.00000003.2523798561.0000000006930000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: microsofts.exe, 00000005.00000003.2704629556.0000000006930000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: microsofts.exe, 00000005.00000003.2480516166.0000000006940000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: mavinject32.pdb source: microsofts.exe, 00000005.00000003.2954719715.0000000004F90000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000005.00000003.2958576638.00000000008C0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: maintenanceservice.pdb source: microsofts.exe, 00000005.00000003.2245227049.0000000007250000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 64BitMAPIBroker.pdb source: microsofts.exe, 00000005.00000003.2787951511.00000000008D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: PerceptionSimulationService.pdbGCTL source: microsofts.exe, 00000005.00000003.2272521083.0000000007250000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: snmptrap.pdbGCTL source: microsofts.exe, 00000005.00000003.2314590976.0000000007250000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: msdtcexe.pdbGCTL source: microsofts.exe, 00000005.00000003.2250623061.0000000007250000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: microsofts.exe, 00000005.00000003.2940771463.00000000008C0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: PerfHost.pdbGCTL source: microsofts.exe, 00000005.00000003.2284066039.0000000007250000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000005.00000003.2288206191.0000000006910000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000005.00000003.2282909180.0000000007250000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: microsofts.exe, 00000005.00000003.2767066626.00000000008D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: microsofts.exe, 00000005.00000003.2675621901.0000000006930000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: AppVClient.pdbGCTL source: microsofts.exe, 00000005.00000003.2165441366.0000000005000000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: microsofts.exe, 00000005.00000003.2814742901.00000000008D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: microsofts.exe, 00000005.00000003.2704629556.0000000006930000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: microsofts.exe, 00000005.00000003.2773806278.00000000008D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: PerfHost.pdb source: microsofts.exe, 00000005.00000003.2284066039.0000000007250000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000005.00000003.2288206191.0000000006910000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000005.00000003.2282909180.0000000007250000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdb source: microsofts.exe, 00000005.00000003.2806405530.00000000008D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: maintenanceservice.pdb` source: microsofts.exe, 00000005.00000003.2245227049.0000000007250000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: microsofts.exe, 00000005.00000003.2837407835.0000000000590000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000005.00000003.2825064173.00000000008D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe, 00000000.00000003.2074787470.0000000004170000.00000004.00001000.00020000.00000000.sdmp, PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe, 00000000.00000003.2074250734.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe, 00000003.00000003.2102593621.0000000003DF0000.00000004.00001000.00020000.00000000.sdmp, PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe, 00000003.00000003.2103800748.0000000003F90000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: TieringEngineService.pdb source: microsofts.exe, 00000005.00000003.2343789466.0000000007250000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: TieringEngineService.pdbGCTL source: microsofts.exe, 00000005.00000003.2343789466.0000000007250000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: WmiApSrv.pdb source: microsofts.exe, 00000005.00000003.2391093241.0000000007250000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: microsofts.exe, 00000005.00000003.2718653783.0000000000590000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ALG.pdb source: microsofts.exe, 00000005.00000003.2119381762.00000000050D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: msdtcexe.pdb source: microsofts.exe, 00000005.00000003.2250623061.0000000007250000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: microsofts.exe, 00000005.00000003.2186596905.0000000006950000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ALG.pdbGCTL source: microsofts.exe, 00000005.00000003.2119381762.00000000050D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: microsofts.exe, 00000005.00000003.2212014906.0000000006960000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: locator.pdbGCTL source: microsofts.exe, 00000005.00000003.2289813880.0000000007250000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000005.00000003.2295639551.0000000006910000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: microsofts.exe, 00000005.00000003.2505449143.0000000006940000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ssh-agent.pdbX source: microsofts.exe, 00000005.00000003.2334730630.0000000007250000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: AppVShNotify.pdb source: microsofts.exe, 00000005.00000003.2932313089.00000000008D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: snmptrap.pdb source: microsofts.exe, 00000005.00000003.2314590976.0000000007250000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: microsofts.exe, 00000005.00000003.2773806278.00000000008D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: microsofts.exe, 00000005.00000003.2718653783.0000000000590000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: AppVShNotify.pdbGCTL source: microsofts.exe, 00000005.00000003.2932313089.00000000008D0000.00000004.00001000.00020000.00000000.sdmp

Spreading
barindex
Infects executable files (exe, dll, sys, html)
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\wbem\WmiApSrv.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\vds.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\alg.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\7-Zip\7zFM.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\snmptrap.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\Spectrum.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Windows Media Player\wmpnetwk.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\Locator.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\7-Zip\7z.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\AppVClient.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\SysWOW64\perfhost.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\7-Zip\7zG.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\msiexec.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\VSSVC.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\wbengine.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\SearchIndexer.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\TieringEngineService.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\AgentService.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\7-Zip\Uninstall.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\FXSSVC.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\OpenSSH\ssh-agent.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\SensorDataService.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\msdtc.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_00452126
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose, 0_2_0045C999
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00436ADE
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00434BEE
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_0045DD7C FindFirstFileW,FindClose, 0_2_0045DD7C
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 0_2_0044BD29
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle, 0_2_00436D2D
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00442E1F
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_00475FE5
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_0044BF8D
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose, 3_2_00452126
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_0045C999 FindFirstFileW,FindNextFileW,FindClose, 3_2_0045C999
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose, 3_2_00436ADE
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 3_2_00434BEE
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_0045DD7C FindFirstFileW,FindClose, 3_2_0045DD7C
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 3_2_0044BD29
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle, 3_2_00436D2D
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 3_2_00442E1F
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 3_2_00475FE5
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, 3_2_0044BF8D
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\Cache\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File opened: C:\Documents and Settings\user\AppData\Local\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\ Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 4x nop then jmp 05B4FCE7h 7_2_05B4F588
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 7_2_05B4B128
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 4x nop then jmp 05B4A455h 7_2_05B4A434
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 4x nop then inc dword ptr [ebp-20h] 7_2_05B42478
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 4x nop then jmp 05B4DE72h 7_2_05B4DE5A
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 4x nop then inc dword ptr [ebp-20h] 7_2_05B421A8
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Code function: 4x nop then jmp 01457394h 8_2_01457188
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Code function: 4x nop then jmp 014578DCh 8_2_01457688
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 8_2_01457E60
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Code function: 4x nop then jmp 014578DCh 8_2_0145767A
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 8_2_01457E54

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.5:63907 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.5:49707 -> 18.141.10.107:80
Source: Network traffic Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.141.10.107:80 -> 192.168.2.5:49724
Source: Network traffic Suricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.5:63299 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.5:49706 -> 212.162.149.53:2049
Source: Network traffic Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.141.10.107:80 -> 192.168.2.5:49724
Source: Network traffic Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.244.188.177:80 -> 192.168.2.5:49713
Source: Network traffic Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 44.221.84.105:80 -> 192.168.2.5:49711
Source: Network traffic Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 44.221.84.105:80 -> 192.168.2.5:49711
Source: Network traffic Suricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.5:49706 -> 212.162.149.53:2049
Source: Network traffic Suricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.5:54745 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 212.162.149.53:2049 -> 192.168.2.5:49706
Source: Network traffic Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.244.188.177:80 -> 192.168.2.5:49713
Source: Network traffic Suricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.5:64943 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 212.162.149.53:2049 -> 192.168.2.5:49706
Source: Network traffic Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 47.129.31.212:80 -> 192.168.2.5:49929
Source: Network traffic Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 47.129.31.212:80 -> 192.168.2.5:49929
Source: Network traffic Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 13.251.16.150:80 -> 192.168.2.5:49942
Source: Network traffic Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 13.251.16.150:80 -> 192.168.2.5:49942
Source: Network traffic Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.208.156.248:80 -> 192.168.2.5:49992
Source: Network traffic Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.208.156.248:80 -> 192.168.2.5:49992
Source: Network traffic Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 34.246.200.160:80 -> 192.168.2.5:49985
Source: Network traffic Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 34.246.200.160:80 -> 192.168.2.5:49985
Source: Network traffic Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.5:50022 -> 34.211.97.45:80
Source: Network traffic Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 34.211.97.45:80 -> 192.168.2.5:50022
Source: Network traffic Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 34.211.97.45:80 -> 192.168.2.5:50022
Source: Network traffic Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 44.213.104.86:80 -> 192.168.2.5:51583
Source: Network traffic Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 44.213.104.86:80 -> 192.168.2.5:51583
Source: Network traffic Suricata IDS: 2051651 - Severity 1 - ET MALWARE DNS Query to Expiro Domain (eufxebus .biz) : 192.168.2.5:53567 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 3.94.10.34:80 -> 192.168.2.5:50017
Source: Network traffic Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 3.94.10.34:80 -> 192.168.2.5:50017
Source: Network traffic Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 35.164.78.200:80 -> 192.168.2.5:50057
Source: Network traffic Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 3.254.94.185:80 -> 192.168.2.5:50040
Source: Network traffic Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 3.254.94.185:80 -> 192.168.2.5:50040
Source: Network traffic Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 35.164.78.200:80 -> 192.168.2.5:50057
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 212.162.149.53:2049
Queries random domain names (often used to prevent blacklisting and sinkholes)
Source: unknown DNS traffic detected: English language letter frequency does not match the domain names
Connects to many different domains
Source: unknown Network traffic detected: DNS query count 80
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49706 -> 212.162.149.53:2049
Source: global traffic TCP traffic: 192.168.2.5:49712 -> 51.195.88.199:587
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 165.160.15.20 165.160.15.20
Source: Joe Sandbox View IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View IP Address: 104.26.12.205 104.26.12.205
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View ASN Name: AMAZON-AESUS AMAZON-AESUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.5:49712 -> 51.195.88.199:587
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /rurmblummdysikl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /qmfuhtf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /mxhgf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /agup HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /acnwjlbaxboknfa HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /dwqgybxwikykky HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /mvgpsfdcrvitryo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /rrba HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /ajvaopkagn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /ojwgmwlrsgrxkodi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /xecqerkyvkn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /ysrvxblocwefk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /xkjanqfjaocn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /xylpjhgrvuhkfdao HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /mgu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /pkabvaplwbiqx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /dmaeaf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /vpujdohccl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /gocchgnxicko HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /mnoqnjatopaha HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /hqlbcdtcv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xlfhhhm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /fymj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ifsaia.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /wbpbmvhlbk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: saytjshyf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /qohnd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vcddkls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /dvejgi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /kadnnjikurdd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /mngdwptvi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tbjrpv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /qqxxgql HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tbjrpv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /sgbnffiuqo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: deoci.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /ly HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /jae HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /sptkirsqxflbf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qaynky.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /v HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qaynky.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /iafrakxbkhxwqo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bumxkqgxu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /ucrfyypmempwn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dwrqljrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /oiwersrybt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nqwjmb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /ocntklkd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ytctnunms.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /ndgx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /libobglfegsxaj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /dkwdmdeuhpg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /khpdqtysqhg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oshhkdluh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /icltfkrjatd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /xnxlkgkrmwlxblkt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /hisgijrksnb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jpskm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /sc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lrxdmhrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /a HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wllvnzb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /skpx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gnqgo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /wgcbdp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jhvzpcfg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /sxrtljpowkklyfep HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: acwjcqqv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /ksvtsx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vyome.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /thacrmsw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yauexmxk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /rdoagulou HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: iuzpxe.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /m HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: sxmiywsfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /jk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vrrazpdh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /kjqwmlcq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ftxlah.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /uluonacniewnep HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: typgfhb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /n HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: esuzf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /vpbxgqp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xlfhhhm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /hqowbucy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gvijgjwkh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /ohp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qpnczch.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /wkqumdvynqwto HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ifsaia.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /npjswmwoxwkrbxd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: brsua.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /kfodjblu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: saytjshyf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /hdqasqyy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dlynankz.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /qtuy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vcddkls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /vnjrxnyhwihcg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oflybfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /xwv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /dokmgu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /vqtoaeha HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yhqqc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /lkirwmgfxelvg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tbjrpv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /hbnyekwgryhvrr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: mnjmhp.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /kxstjshewunex HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: deoci.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /yowtqsuuesmahbsb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /vipiwgiihx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /yclqyqmghucjea HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qaynky.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /wcffwbepjknhrkkd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: opowhhece.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /fsupyedkjsaginlp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bumxkqgxu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /oknxycjjxcvmcyg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jdhhbs.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /kquvnwuqqcd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dwrqljrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /ggwhl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nqwjmb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /qcnhkliwpylu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: mgmsclkyu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /gvv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ytctnunms.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /vhprbmdefc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /rxkip HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: warkcdu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /wqmolrbsijpjbu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /rgwkboikrm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: warkcdu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /xp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oshhkdluh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /cx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /irsdmqckkulgp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /mgsjgpoacwottwhx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gcedd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /yxnfodxhcdmnj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jpskm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /lpr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lrxdmhrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /ryoeonf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wllvnzb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /do HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jwkoeoqns.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /gblimgnlscyku HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xccjj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /ukwrctauwj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gnqgo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /bct HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jhvzpcfg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /lxrjyksdgpjxna HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: acwjcqqv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /bdsoixvaivc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: hehckyov.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /oxda HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vyome.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /docjrpuoliw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: rynmcq.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /jebhuwdu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yauexmxk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /yavxloupuaxr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: iuzpxe.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /vsxacwvtko HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: uaafd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /kcrxavatov HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: sxmiywsfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /iaiodpshpb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: eufxebus.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /ect HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vrrazpdh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /exqaqlffu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pwlqfu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /ucjyqfgo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pwlqfu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /pb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ftxlah.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /ha HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: rrqafepng.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /nqyrhhrsxbrr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: rrqafepng.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /sonhfc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ctdtgwag.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /hkdwng HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: typgfhb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /yavfpoeu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tnevuluw.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /vjmakoegwejtsrok HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tnevuluw.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /rrlwj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: whjovd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /bteutovkpfgbea HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: whjovd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /ikwdwlrjrslefrvs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gjogvvpsf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /xvwjoyasecofgd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gjogvvpsf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /majxvi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: esuzf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /xtlulck HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: esuzf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /dnygdywcggkonbfe HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gvijgjwkh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /njgjrpxmf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gvijgjwkh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /rd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qpnczch.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /wi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qpnczch.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /sqaajldpmyrnnl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: brsua.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /cgofyarxpklm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: reczwga.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /cgtrhhgqi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: brsua.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /qtgyq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dlynankz.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /wcihxt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: reczwga.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /ymrgibjtpgrltdn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dlynankz.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /entqbvydd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oflybfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /rhvd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yhqqc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /csepohryabqocrsd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bghjpy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /eeswgjxjcwha HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: mnjmhp.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /ewnwyxek HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: mnjmhp.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /butjufvvmucwu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: opowhhece.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /abotv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: damcprvgv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /dhvreng HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jdhhbs.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /plbdbgmplm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ocsvqjg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /cmrwepikmmer HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: mgmsclkyu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /pwmmeoh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: mgmsclkyu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /dvvbbgutuwtwsq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: warkcdu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /cdpttgyexq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ywffr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /wgxnisegc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gcedd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /tckhwxqtj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ecxbwt.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /ajbav HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jwkoeoqns.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /kpiticjpb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pectx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /brqvg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xccjj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /mvljr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: zyiexezl.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /bvbcgrbcs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: hehckyov.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /bgpu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: rynmcq.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: POST /wrjeoyp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: banwyw.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_0044289D InternetQueryDataAvailable,InternetReadFile, 0_2_0044289D
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: pywolwnvd.biz
Source: global traffic DNS traffic detected: DNS query: api.ipify.org
Source: global traffic DNS traffic detected: DNS query: ssbzmoy.biz
Source: global traffic DNS traffic detected: DNS query: cvgrf.biz
Source: global traffic DNS traffic detected: DNS query: npukfztj.biz
Source: global traffic DNS traffic detected: DNS query: s82.gocheapweb.com
Source: global traffic DNS traffic detected: DNS query: przvgke.biz
Source: global traffic DNS traffic detected: DNS query: zlenh.biz
Source: global traffic DNS traffic detected: DNS query: knjghuig.biz
Source: global traffic DNS traffic detected: DNS query: uhxqin.biz
Source: global traffic DNS traffic detected: DNS query: anpmnmxo.biz
Source: global traffic DNS traffic detected: DNS query: lpuegx.biz
Source: global traffic DNS traffic detected: DNS query: vjaxhpbji.biz
Source: global traffic DNS traffic detected: DNS query: xlfhhhm.biz
Source: global traffic DNS traffic detected: DNS query: ifsaia.biz
Source: global traffic DNS traffic detected: DNS query: saytjshyf.biz
Source: global traffic DNS traffic detected: DNS query: vcddkls.biz
Source: global traffic DNS traffic detected: DNS query: fwiwk.biz
Source: global traffic DNS traffic detected: DNS query: tbjrpv.biz
Source: global traffic DNS traffic detected: DNS query: deoci.biz
Source: global traffic DNS traffic detected: DNS query: gytujflc.biz
Source: global traffic DNS traffic detected: DNS query: qaynky.biz
Source: global traffic DNS traffic detected: DNS query: bumxkqgxu.biz
Source: global traffic DNS traffic detected: DNS query: dwrqljrr.biz
Source: global traffic DNS traffic detected: DNS query: nqwjmb.biz
Source: global traffic DNS traffic detected: DNS query: ytctnunms.biz
Source: global traffic DNS traffic detected: DNS query: myups.biz
Source: global traffic DNS traffic detected: DNS query: oshhkdluh.biz
Source: global traffic DNS traffic detected: DNS query: yunalwv.biz
Source: global traffic DNS traffic detected: DNS query: jpskm.biz
Source: global traffic DNS traffic detected: DNS query: lrxdmhrr.biz
Source: global traffic DNS traffic detected: DNS query: wllvnzb.biz
Source: global traffic DNS traffic detected: DNS query: gnqgo.biz
Source: global traffic DNS traffic detected: DNS query: jhvzpcfg.biz
Source: global traffic DNS traffic detected: DNS query: acwjcqqv.biz
Source: global traffic DNS traffic detected: DNS query: lejtdj.biz
Source: global traffic DNS traffic detected: DNS query: vyome.biz
Source: global traffic DNS traffic detected: DNS query: yauexmxk.biz
Source: global traffic DNS traffic detected: DNS query: iuzpxe.biz
Source: global traffic DNS traffic detected: DNS query: sxmiywsfv.biz
Source: global traffic DNS traffic detected: DNS query: vrrazpdh.biz
Source: global traffic DNS traffic detected: DNS query: ftxlah.biz
Source: global traffic DNS traffic detected: DNS query: typgfhb.biz
Source: global traffic DNS traffic detected: DNS query: esuzf.biz
Source: global traffic DNS traffic detected: DNS query: gvijgjwkh.biz
Source: global traffic DNS traffic detected: DNS query: qpnczch.biz
Source: global traffic DNS traffic detected: DNS query: brsua.biz
Source: global traffic DNS traffic detected: DNS query: dlynankz.biz
Source: global traffic DNS traffic detected: DNS query: oflybfv.biz
Source: global traffic DNS traffic detected: DNS query: yhqqc.biz
Source: global traffic DNS traffic detected: DNS query: mnjmhp.biz
Source: global traffic DNS traffic detected: DNS query: opowhhece.biz
Source: global traffic DNS traffic detected: DNS query: zjbpaao.biz
Source: global traffic DNS traffic detected: DNS query: jdhhbs.biz
Source: global traffic DNS traffic detected: DNS query: mgmsclkyu.biz
Source: global traffic DNS traffic detected: DNS query: warkcdu.biz
Source: global traffic DNS traffic detected: DNS query: gcedd.biz
Source: global traffic DNS traffic detected: DNS query: jwkoeoqns.biz
Source: global traffic DNS traffic detected: DNS query: xccjj.biz
Source: global traffic DNS traffic detected: DNS query: hehckyov.biz
Source: global traffic DNS traffic detected: DNS query: rynmcq.biz
Source: global traffic DNS traffic detected: DNS query: uaafd.biz
Source: global traffic DNS traffic detected: DNS query: eufxebus.biz
Source: global traffic DNS traffic detected: DNS query: pwlqfu.biz
Source: global traffic DNS traffic detected: DNS query: rrqafepng.biz
Source: global traffic DNS traffic detected: DNS query: ctdtgwag.biz
Source: global traffic DNS traffic detected: DNS query: tnevuluw.biz
Source: global traffic DNS traffic detected: DNS query: whjovd.biz
Source: global traffic DNS traffic detected: DNS query: gjogvvpsf.biz
Source: global traffic DNS traffic detected: DNS query: reczwga.biz
Source: global traffic DNS traffic detected: DNS query: bghjpy.biz
Source: global traffic DNS traffic detected: DNS query: damcprvgv.biz
Source: global traffic DNS traffic detected: DNS query: ocsvqjg.biz
Source: global traffic DNS traffic detected: DNS query: ywffr.biz
Source: global traffic DNS traffic detected: DNS query: ecxbwt.biz
Source: global traffic DNS traffic detected: DNS query: pectx.biz
Source: global traffic DNS traffic detected: DNS query: zyiexezl.biz
Source: global traffic DNS traffic detected: DNS query: banwyw.biz
Source: global traffic DNS traffic detected: DNS query: muapr.biz
Source: global traffic DNS traffic detected: DNS query: wxgzshna.biz
Source: unknown HTTP traffic detected: POST /rurmblummdysikl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 828
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Thu, 10 Oct 2024 08:08:15 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Thu, 10 Oct 2024 08:08:15 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Thu, 10 Oct 2024 08:08:26 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Thu, 10 Oct 2024 08:08:26 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.27.2Date: Thu, 10 Oct 2024 08:08:47 GMTTransfer-Encoding: chunkedConnection: keep-aliveKeep-Alive: timeout=20Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Thu, 10 Oct 2024 08:08:51 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Thu, 10 Oct 2024 08:08:52 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Thu, 10 Oct 2024 08:08:58 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Thu, 10 Oct 2024 08:08:58 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Thu, 10 Oct 2024 08:09:11 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Thu, 10 Oct 2024 08:09:12 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: alg.exe, 00000009.00000003.3045551254.000000000059B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3060758556.000000000059C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3078569820.000000000059C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://13.251.16.150/
Source: alg.exe, 00000009.00000003.2576145561.0000000000558000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2576692201.0000000000562000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2575063402.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://13.251.16.150/fymjdtcv
Source: alg.exe, 00000009.00000003.3100543352.00000000005A9000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3119389154.00000000005A9000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3110909006.00000000005A9000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3135716796.00000000005A9000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3156257212.00000000005A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://13.251.16.150/mgsjgpoacwottwhx
Source: alg.exe, 00000009.00000003.3050069889.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3047643251.00000000005C9000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3079434309.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3058249726.00000000005C9000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3078569820.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3061259113.00000000005C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://13.251.16.150/oknxycjjxcvmcygp
Source: alg.exe, 00000009.00000003.2665977163.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2682321054.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://13.251.16.150/sptkirsqxflbfd
Source: alg.exe, 00000009.00000003.2576145561.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2575063402.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2576692201.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://13.251.16.150:80/fymjdtcv
Source: alg.exe, 00000009.00000003.3120774885.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://13.251.16.150:80/mgsjgpoacwottwhxfP
Source: alg.exe, 00000009.00000003.2910224096.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://13.251.16.150:80/mhacrmsw
Source: alg.exe, 00000009.00000003.3048558345.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://13.251.16.150:80/oknxycjjxcvmcygP.ca
Source: alg.exe, 00000009.00000003.2926946186.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2910224096.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://13.251.16.150:80/rdoagulou
Source: alg.exe, 00000009.00000003.2665977163.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://13.251.16.150:80/sptkirsqxflbf
Source: alg.exe, 00000009.00000003.2937382799.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2926946186.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://13.251.16.150:80/uluonacniewnep
Source: alg.exe, 00000009.00000003.2725793461.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2690389382.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2718655052.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2744860394.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2756641044.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2725466664.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2739777279.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2709340960.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2682321054.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://13.251.16.150:80/vtkirsqxflbf
Source: alg.exe, 00000009.00000003.2937382799.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2744860394.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2811149563.000000000057A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2926946186.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2910224096.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2768613145.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2756206332.000000000057C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2946405217.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2745831053.000000000057A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://165.160.15.20/dkwdmdeuhpgaj%
Source: alg.exe, 00000009.00000003.2739777279.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2740295647.000000000057B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://165.160.15.20/libobglfegsxaj%
Source: alg.exe, 00000009.00000003.2744860394.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://165.160.15.20:80/dkwdmdeuhpg
Source: alg.exe, 00000009.00000003.2768613145.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2744860394.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2756641044.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2739777279.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://165.160.15.20:80/libobglfegsxaj
Source: alg.exe, 00000009.00000003.2613582337.000000000055A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2621081247.000000000055A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2621710164.0000000000562000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2614366913.0000000000562000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.234.222.143/dvejgi
Source: alg.exe, 00000009.00000003.2725793461.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2641781426.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2621710164.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2634085222.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2690389382.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2937382799.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2718655052.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2744860394.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2811149563.000000000057A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2726765067.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2651055218.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2926946186.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2665977163.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2910224096.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2768613145.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2725466664.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2739777279.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2756206332.000000000057C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2709340960.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2946405217.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2745831053.000000000057A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.234.222.143/kadnnjikurdd
Source: alg.exe, 00000009.00000003.2210828989.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.234.222.143/wP6
Source: alg.exe, 00000009.00000003.2504415483.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2211690726.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2444067771.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2228386739.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2465112671.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2544401185.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2464247908.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2204873392.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2544895268.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2210828989.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2229224734.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.234.222.143/ysrvxblocwefk
Source: alg.exe, 00000009.00000003.2613582337.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.234.222.143:80/dvejgifP
Source: alg.exe, 00000009.00000003.2621710164.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.234.222.143:80/kadnnjikurdd
Source: alg.exe, 00000009.00000003.2464247908.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2229224734.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2211690726.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2465112671.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2228386739.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2444067771.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2210828989.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.234.222.143:80/ww
Source: alg.exe, 00000009.00000003.2204873392.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.234.222.143:80/ysrvxblocwefk
Source: alg.exe, 00000009.00000003.3256074527.000000000058B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3232490363.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3253000018.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3290510552.000000000058C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3306777601.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3218423804.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3220609083.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000002.3323934646.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3298047259.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3230534446.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3239370210.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3209760025.000000000058A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107/bteutovkpfgbea
Source: alg.exe, 00000009.00000003.3209760025.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3191422112.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3218423804.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3208238740.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107/iaiodpshpb
Source: alg.exe, 00000009.00000003.2605900173.000000000055A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2606436106.0000000000562000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107/qohndTi
Source: alg.exe, 00000009.00000003.3156928709.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3220609083.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3209760025.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3230534446.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3239370210.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3191422112.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3169068917.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3221929509.000000000057A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3232490363.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3218423804.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3257756982.000000000057A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3208238740.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3253000018.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3120774885.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107/rgwkboikrm
Source: alg.exe, 00000009.00000003.3298047259.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3290510552.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3220609083.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3209760025.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000002.3323934646.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3230534446.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3239370210.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3221929509.000000000057A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3232490363.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3218423804.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3270342995.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3257756982.000000000057A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3306777601.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3253000018.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107/rrlwj
Source: alg.exe, 00000009.00000003.3120774885.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107/rxkipa--
Source: alg.exe, 00000009.00000003.2444067771.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2228386739.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2229224734.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107/xylpjhgrvuhkfdaoHxg
Source: alg.exe, 00000009.00000003.3209760025.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107:80/bteutovkpfgbeam
Source: alg.exe, 00000009.00000003.3191422112.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107:80/iaiodpshpb
Source: alg.exe, 00000009.00000003.2605900173.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107:80/qohnd
Source: alg.exe, 00000009.00000003.3220609083.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3209760025.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3218423804.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3230534446.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107:80/rrlwj?cP
Source: alg.exe, 00000009.00000003.2229224734.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2228386739.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107:80/xylpjhgrvuhkfdaofP
Source: alg.exe, 00000009.00000002.3323934646.000000000053D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000002.3323934646.0000000000503000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.208.156.248/
Source: alg.exe, 00000009.00000003.3243906993.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3261023677.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3271473448.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3253000018.00000000005A9000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3239370210.00000000005A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.208.156.248/abotv
Source: alg.exe, 00000009.00000003.3298047259.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3290510552.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000002.3323934646.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3239370210.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3270342995.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3257756982.000000000057A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3306777601.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3253000018.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.208.156.248/abotv-
Source: alg.exe, 00000009.00000003.3156928709.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3169068917.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3120774885.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.208.156.248/doP/
Source: alg.exe, 00000009.00000003.3308546242.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000002.3323934646.00000000005AA000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3306777601.00000000005A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.208.156.248/mvljrpb
Source: alg.exe, 00000009.00000003.2725793461.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2641781426.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2690389382.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2718655052.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2726765067.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2651055218.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2665977163.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2725466664.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2709340960.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2682321054.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.208.156.248/sgbnffiuqoo%
Source: alg.exe, 00000009.00000003.2811149563.000000000057A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.208.156.248/skpxa-1
Source: alg.exe, 00000009.00000003.3050069889.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3047643251.00000000005C9000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3079434309.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3030359798.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3058249726.00000000005C9000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3078569820.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3061259113.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3031391633.00000000005C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.208.156.248/wcffwbepjknhrkkd
Source: alg.exe, 00000009.00000003.3298047259.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3259678244.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3290510552.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000002.3323934646.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3239370210.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3270342995.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3306777601.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3253000018.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.208.156.248:80/abotvsxbrrfP
Source: alg.exe, 00000009.00000003.3120774885.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.208.156.248:80/doRb
Source: alg.exe, 00000009.00000003.3306777601.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.208.156.248:80/mvljrpb
Source: alg.exe, 00000009.00000003.2641781426.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.208.156.248:80/sgbnffiuqo
Source: alg.exe, 00000009.00000003.2963959260.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2937382799.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2926946186.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3048558345.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2910224096.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2953099038.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2946405217.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2975335028.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.208.156.248:80/skpx
Source: alg.exe, 00000009.00000003.3048558345.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.208.156.248:80/wcffwbepjknhrkkdP
Source: alg.exe, 00000009.00000003.3256074527.000000000058B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3232490363.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3253000018.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3290510552.000000000058C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3306777601.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3218423804.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3220609083.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000002.3323934646.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3298047259.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3230534446.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3239370210.000000000058A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://208.100.26.245/ikwdwlrjrslefrvs0
Source: alg.exe, 00000009.00000003.2651055218.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2665977163.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2682321054.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://208.100.26.245/jae
Source: alg.exe, 00000009.00000003.2725793461.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2690389382.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2718655052.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2744860394.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2726765067.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2651055218.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2665977163.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2768613145.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2725466664.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2739777279.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2756206332.000000000057C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2709340960.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2745831053.000000000057A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2682321054.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2740295647.000000000057B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://208.100.26.245/lys
Source: alg.exe, 00000009.00000003.3218423804.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3256074527.000000000058B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3232490363.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3253000018.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3290510552.000000000058C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3306777601.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3218423804.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3220609083.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000002.3323934646.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3219316989.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3298047259.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3230534446.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3239370210.000000000058A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://208.100.26.245/xvwjoyasecofgd
Source: alg.exe, 00000009.00000003.2690389382.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2651055218.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2665977163.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2682321054.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://208.100.26.245:80/jaegql
Source: alg.exe, 00000009.00000003.2768613145.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://208.100.26.245:80/xnxlkgkrmwlxblktP
Source: alg.exe, 00000009.00000003.3218423804.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://208.100.26.245:80/xvwjoyasecofgds
Source: alg.exe, 00000009.00000003.2976046353.00000000005A0000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3108706967.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3168377168.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3168377168.000000000059A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://3.254.94.185/
Source: alg.exe, 00000009.00000003.2963501165.00000000005C9000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2972957817.00000000005C9000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2965853782.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2976881957.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2966318373.00000000005C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://3.254.94.185/npjswmwoxwkrbxdZ
Source: alg.exe, 00000009.00000003.3261023677.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3253000018.00000000005A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://3.254.94.185/plbdbgmplm
Source: alg.exe, 00000009.00000003.3261023677.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3253000018.00000000005A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://3.254.94.185/plbdbgmplmdt9
Source: alg.exe, 00000009.00000003.3298047259.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3290510552.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000002.3323934646.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3270342995.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3257756982.000000000057A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3306777601.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3253000018.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://3.254.94.185/plbdbgmplmi
Source: alg.exe, 00000009.00000003.3191422112.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3169068917.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://3.254.94.185/vsxacwvtko-
Source: alg.exe, 00000009.00000003.2963959260.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://3.254.94.185:80/npjswmwoxwkrbxd
Source: alg.exe, 00000009.00000003.3298047259.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3259678244.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3290510552.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000002.3323934646.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3270342995.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3306777601.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3253000018.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://3.254.94.185:80/plbdbgmplm
Source: alg.exe, 00000009.00000003.3191422112.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3169068917.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://3.254.94.185:80/vsxacwvtko
Source: alg.exe, 00000009.00000003.2963627341.000000000057A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2953099038.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2946405217.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2975335028.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://3.94.10.34/hqowbucyQQBrowser/
Source: alg.exe, 00000009.00000003.2725793461.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2744860394.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2811149563.000000000057A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2726765067.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2768613145.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2725466664.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2739777279.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2756206332.000000000057C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2745831053.000000000057A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2740295647.000000000057B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://3.94.10.34/ocntklkd-
Source: alg.exe, 00000009.00000003.2946405217.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://3.94.10.34:80/hqowbucy
Source: alg.exe, 00000009.00000003.2725793461.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2725466664.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://3.94.10.34:80/ocntklkd
Source: alg.exe, 00000009.00000003.3208238740.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://3.94.10.34:80/sonhfcaqlffu
Source: alg.exe, 00000009.00000003.3230534446.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3230534446.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3239370210.000000000058A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://34.211.97.45/csepohryabqocrsd
Source: alg.exe, 00000009.00000003.2811149563.000000000057A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://34.211.97.45/hisgijrksnb
Source: alg.exe, 00000009.00000003.3048558345.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3060374401.000000000057A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://34.211.97.45/vqtoaehaowser/
Source: alg.exe, 00000009.00000003.3230534446.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://34.211.97.45:80/csepohryabqocrsdPLcC
Source: alg.exe, 00000009.00000003.2963959260.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2937382799.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2953099038.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2946405217.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2975335028.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://34.211.97.45:80/n
Source: alg.exe, 00000009.00000003.2633722713.000000000055A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://34.246.200.160/
Source: alg.exe, 00000009.00000003.3220609083.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3209760025.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3230534446.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3239370210.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3191422112.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3221929509.000000000057A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3232490363.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3218423804.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3208238740.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://34.246.200.160/exqaqlffu
Source: alg.exe, 00000009.00000003.3079434309.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3058249726.00000000005C9000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3078569820.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3061259113.00000000005C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://34.246.200.160/qcnhkliwpylu
Source: alg.exe, 00000009.00000003.3191422112.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://34.246.200.160/ucjyqfgo
Source: alg.exe, 00000009.00000003.3191422112.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://34.246.200.160:80/exqaqlffu
Source: alg.exe, 00000009.00000003.2634085222.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://34.246.200.160:80/mngdwptvirdd
Source: alg.exe, 00000009.00000003.2641781426.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2634085222.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://34.246.200.160:80/qqxxgql
Source: alg.exe, 00000009.00000003.3220609083.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3209760025.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3239370210.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3191422112.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3218423804.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3230534446.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3208238740.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3253000018.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://34.246.200.160:80/ucjyqfgo
Source: alg.exe, 00000009.00000003.2725793461.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2718655052.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2744860394.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2726765067.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2768613145.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2725466664.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2739777279.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2756206332.000000000057C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2745831053.000000000057A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2740295647.000000000057B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://35.164.78.200/oiwersrybt1
Source: alg.exe, 00000009.00000003.3208148211.0000000000591000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3209760025.000000000058A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://35.164.78.200/vjmakoegwejtsrok
Source: alg.exe, 00000009.00000003.3220609083.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3209760025.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3230534446.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3239370210.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3221929509.000000000057A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3232490363.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3218423804.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3208238740.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://35.164.78.200/yavfpoeui
Source: alg.exe, 00000009.00000003.2725793461.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2718655052.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2725466664.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://35.164.78.200:80/oiwersrybtP
Source: alg.exe, 00000009.00000003.3220609083.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3209760025.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3218423804.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3208238740.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://35.164.78.200:80/vjmakoegwejtsrokQ
Source: alg.exe, 00000009.00000003.3208238740.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://35.164.78.200:80/yavfpoeu
Source: alg.exe, 00000009.00000003.3119389154.00000000005A9000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3135716796.00000000005A9000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3156257212.00000000005A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.213.104.86/gblimgnlscyku
Source: alg.exe, 00000009.00000003.3298047259.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3299229753.00000000005A7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.213.104.86/kpiticjpb
Source: alg.exe, 00000009.00000003.2963627341.000000000057A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2937382799.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2926946186.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2910224096.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2953099038.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2946405217.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2975335028.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.213.104.86/ksvtsxsnb
Source: alg.exe, 00000009.00000003.2963627341.000000000057A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2953099038.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.213.104.86/ohpP
Source: alg.exe, 00000009.00000003.3120774885.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.213.104.86:80/gblimgnlscyku
Source: alg.exe, 00000009.00000003.3298047259.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.213.104.86:80/kpiticjpb
Source: alg.exe, 00000009.00000003.2963959260.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2953099038.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2975335028.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.213.104.86:80/ohpm
Source: alg.exe, 00000009.00000002.3323934646.000000000053D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.221.84.105/
Source: alg.exe, 00000009.00000002.3323934646.000000000053D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.221.84.105/P
Source: alg.exe, 00000009.00000003.3135716796.00000000005A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.221.84.105/bdsoixvaivcS
Source: alg.exe, 00000009.00000003.3256074527.000000000058B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3232490363.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3253000018.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3290510552.000000000058C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3306777601.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3220609083.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000002.3323934646.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3298047259.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3230534446.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3239370210.000000000058A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.221.84.105/cgofyarxpklm/
Source: alg.exe, 00000009.00000003.2690389382.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.221.84.105/iafrakxbkhxwqod
Source: alg.exe, 00000009.00000002.3323934646.000000000053D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.221.84.105/ngs;W
Source: alg.exe, 00000009.00000002.3323934646.000000000053D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.221.84.105/p
Source: alg.exe, 00000009.00000003.3220609083.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3230534446.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3221929509.000000000057A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3232490363.000000000057B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.221.84.105/wcihxthpb
Source: alg.exe, 00000009.00000003.2937382799.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2926946186.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2910224096.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2946405217.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.221.84.105/wgcbdp
Source: alg.exe, 00000009.00000002.3323934646.000000000053D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000002.3323934646.0000000000503000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.221.84.105/wrjeoyp
Source: alg.exe, 00000009.00000002.3323934646.000000000053D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.221.84.105/wrjeoyp-P
Source: alg.exe, 00000009.00000002.3323934646.00000000005AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.221.84.105/wrjeoypN
Source: alg.exe, 00000009.00000003.2690389382.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.221.84.105:80/iafrakxbkhxwqoTiPMbB
Source: alg.exe, 00000009.00000003.2194293396.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2196926107.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2211690726.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2204873392.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2210828989.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.221.84.105:80/ojwgmwlrsgrxkodiMbB
Source: alg.exe, 00000009.00000003.2587369712.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2605900173.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2621710164.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2613582337.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.221.84.105:80/wbpbmvhlbkm
Source: alg.exe, 00000009.00000003.3220609083.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.221.84.105:80/wcihxtasecofgds
Source: alg.exe, 00000009.00000003.2963959260.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2937382799.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2926946186.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2910224096.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2953099038.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2946405217.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2975335028.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.221.84.105:80/wgcbdp
Source: alg.exe, 00000009.00000002.3323934646.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://44.221.84.105:80/wrjeoyp
Source: alg.exe, 00000009.00000003.2990795352.0000000000596000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.129.31.212/
Source: alg.exe, 00000009.00000003.3050069889.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3047643251.00000000005C9000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3079434309.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3030359798.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3058249726.00000000005C9000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3019315965.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3019611189.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3078569820.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3061259113.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3031391633.00000000005C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.129.31.212/hbnyekwgryhvrr
Source: alg.exe, 00000009.00000003.2559065749.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2560073777.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.129.31.212/hqlbcdtcv
Source: alg.exe, 00000009.00000003.2963627341.000000000057A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2937382799.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2926946186.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2910224096.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2953099038.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2946405217.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2975335028.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.129.31.212/kjqwmlcq-
Source: alg.exe, 00000009.00000003.3256074527.000000000058B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3232490363.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3253000018.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3290510552.000000000058C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3306777601.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3218423804.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3220609083.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000002.3323934646.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3298047259.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3208148211.0000000000591000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3230534446.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3239370210.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3209760025.000000000058A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.129.31.212/nqyrhhrsxbrr
Source: alg.exe, 00000009.00000003.3050069889.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3003198758.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2990795352.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3047643251.00000000005C9000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3079434309.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3030359798.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3058249726.00000000005C9000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2992177955.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3019315965.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3019611189.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3078569820.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3061259113.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3003545643.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3031391633.00000000005C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.129.31.212/vnjrxnyhwihcgZ
Source: alg.exe, 00000009.00000003.2560073777.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2559065749.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.129.31.212:80/hqlbcdtcv
Source: alg.exe, 00000009.00000003.2963959260.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2937382799.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2926946186.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2910224096.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2953099038.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2946405217.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.129.31.212:80/kjqwmlcqcb
Source: alg.exe, 00000009.00000003.3048558345.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.129.31.212:80/vnjrxnyhwihcgU
Source: alg.exe, 00000009.00000003.2159848460.000000000053D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://54.244.188.177/
Source: alg.exe, 00000009.00000002.3323934646.000000000053D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://54.244.188.177/P
Source: alg.exe, 00000009.00000003.3290510552.000000000058C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3306777601.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000002.3323934646.000000000058A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3298047259.000000000058A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://54.244.188.177/cdpttgyexqrsd
Source: alg.exe, 00000009.00000003.3156257212.00000000005A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://54.244.188.177/docjrpuoliwS
Source: alg.exe, 00000009.00000003.2159848460.000000000053D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://54.244.188.177/kW
Source: alg.exe, 00000009.00000003.2159848460.000000000053D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://54.244.188.177/mxhgf
Source: alg.exe, 00000009.00000003.2159848460.000000000053D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://54.244.188.177/mxhgfPP
Source: alg.exe, 00000009.00000003.2811149563.000000000057A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://54.244.188.177/scs
Source: alg.exe, 00000009.00000003.3290510552.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3291773572.00000000005A7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://54.244.188.177/tckhwxqtj
Source: alg.exe, 00000009.00000003.2725793461.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2937382799.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2718655052.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2744860394.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2811149563.000000000057A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2726765067.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2926946186.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2910224096.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2768613145.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2725466664.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2739777279.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2756206332.000000000057C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2709340960.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2946405217.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2745831053.000000000057A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2740295647.000000000057B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://54.244.188.177/ucrfyypmempwnd
Source: alg.exe, 00000009.00000003.3270342995.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://54.244.188.177:80/cdpttgyexq
Source: alg.exe, 00000009.00000003.3156928709.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://54.244.188.177:80/docjrpuoliw?cP
Source: alg.exe, 00000009.00000003.2756641044.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://54.244.188.177:80/khpdqtysqhgfP
Source: alg.exe, 00000009.00000002.3323934646.0000000000503000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://54.244.188.177:80/mvgpsfdcrvitryoo
Source: alg.exe, 00000009.00000003.2709340960.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://54.244.188.177:80/ucrfyypmempwnm
Source: alg.exe, 00000009.00000003.2464247908.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.112.184.197/dmaeaf#J
Source: alg.exe, 00000009.00000003.2587369712.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2605900173.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2576145561.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2560073777.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2621710164.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2634085222.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2613582337.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2544401185.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2544895268.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2559065749.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2575063402.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2576692201.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.112.184.197/gocchgnxicko%
Source: alg.exe, 00000009.00000003.2444067771.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2465112671.000000000055D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2464247908.000000000055D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.112.184.197/mgu
Source: alg.exe, 00000009.00000003.2587369712.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2605900173.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2576145561.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2560073777.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2613582337.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2544401185.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2504415483.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2544895268.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2559065749.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2575063402.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2576692201.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.112.184.197/vpujdohccl
Source: alg.exe, 00000009.00000003.2464247908.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2560073777.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2544401185.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2504415483.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2544895268.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2465112671.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2559065749.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.112.184.197:80/dmaeaf
Source: alg.exe, 00000009.00000003.2544401185.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.112.184.197:80/gocchgnxicko
Source: alg.exe, 00000009.00000003.2464247908.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2560073777.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2544401185.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2504415483.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2544895268.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2465112671.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2559065749.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2575063402.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2444067771.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.112.184.197:80/mgu
Source: alg.exe, 00000009.00000003.2544401185.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2504415483.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.112.184.197:80/vpujdohccl
Source: alg.exe, 00000009.00000003.3156928709.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3048558345.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3169068917.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3060374401.000000000057A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2975335028.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3120774885.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.214.228.140/hdqasqyy
Source: alg.exe, 00000009.00000003.2975335028.000000000056E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.214.228.140:80/hdqasqyycb
Source: powershell.exe, 0000000A.00000002.2215859969.00000000072E8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microsn
Source: powershell.exe, 0000000A.00000002.2215859969.0000000007301000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microsoft
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: powershell.exe, 0000000A.00000002.2208880133.000000000581D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000A.00000002.2200928108.0000000004905000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: AppVClient.exe, 00000016.00000002.2186021378.0000000000522000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000016.00000003.2182914960.0000000000512000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000016.00000003.2181851858.0000000000503000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000016.00000003.2182028014.000000000050A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.microsoft.co
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: powershell.exe, 0000000A.00000002.2200928108.0000000004905000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2200928108.00000000047B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: powershell.exe, 0000000A.00000002.2200928108.0000000004905000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/D
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: build.exe, 00000007.00000002.2559158756.0000000003146000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000007.00000002.2559158756.0000000003327000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: build.exe, 00000007.00000002.2559158756.00000000031E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: build.exe, 00000007.00000002.2559158756.00000000031E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
Source: build.exe, 00000007.00000002.2559158756.000000000315A000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: build.exe, 00000007.00000002.2559158756.00000000031E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id24
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9
Source: build.exe, 00000007.00000002.2559158756.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: build.exe, 00000007.00000002.2559158756.000000000315A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
Source: powershell.exe, 0000000A.00000002.2200928108.0000000004905000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: microsofts.exe, 00000005.00000003.2574053631.0000000006930000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: alg.exe, 00000009.00000002.3323934646.0000000000503000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://zyiexezl.biz/
Source: powershell.exe, 0000000A.00000002.2200928108.00000000047B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lBjq
Source: Native_Redline_BTC.exe, 00000006.00000002.2132146464.00000000123E2000.00000004.00000800.00020000.00000000.sdmp, Native_Redline_BTC.exe, 00000006.00000002.2132146464.0000000012309000.00000004.00000800.00020000.00000000.sdmp, Native_Redline_BTC.exe, 00000006.00000002.2132146464.0000000012397000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000007.00000000.2126000556.0000000000BC2000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: https://api.ip.sb/ip
Source: microsofts.exe, 00000005.00000003.2636300214.0000000006930000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crxFailed
Source: microsofts.exe, 00000005.00000003.2637476112.0000000006930000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000005.00000003.2638010693.0000000006930000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crxHKEY_LOCAL_MACHINE
Source: powershell.exe, 0000000A.00000002.2208880133.000000000581D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000A.00000002.2208880133.000000000581D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000A.00000002.2208880133.000000000581D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000A.00000002.2200928108.0000000004905000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000A.00000002.2208880133.000000000581D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49704 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Installs a global keyboard hook
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\microsofts.exe Jump to behavior
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_0046C5D0 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard, 0_2_0046C5D0
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_00459FFF
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 3_2_00459FFF
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_0046C5D0 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard, 0_2_0046C5D0
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_00456354 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW, 0_2_00456354
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Window created: window name: CLIPBRDWNDCLASS
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_0047C08E SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 0_2_0047C08E
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_0047C08E SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 3_2_0047C08E

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 5.0.microsofts.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 4.2.svchost.exe.5600000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000004.00000002.2126128048.0000000005600000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe, type: DROPPED Matched rule: Detects RedLine infostealer Author: ditekSHen
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_00434D50: GetFullPathNameW,__swprintf,_wcslen,_wcslen,_wcslen,CreateDirectoryW,CreateFileW,_memset,_wcslen,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle, 0_2_00434D50
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_004461ED _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 0_2_004461ED
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 0_2_004364AA
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 3_2_004364AA
Creates files inside the system directory
Source: C:\Windows\System32\alg.exe File created: C:\Windows\system32\config\systemprofile\AppData\Roaming\97dd988331e417df.bin
Source: C:\Windows\System32\wbengine.exe File created: C:\Windows\Logs\WindowsBackup
Detected potential crypto function
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_00409A40 0_2_00409A40
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_00412038 0_2_00412038
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_00427161 0_2_00427161
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_0047E1FA 0_2_0047E1FA
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_004212BE 0_2_004212BE
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_00443390 0_2_00443390
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_00443391 0_2_00443391
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_0041A46B 0_2_0041A46B
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_0041240C 0_2_0041240C
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_00446566 0_2_00446566
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_004045E0 0_2_004045E0
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_0041D750 0_2_0041D750
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_004037E0 0_2_004037E0
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_00427859 0_2_00427859
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_00412818 0_2_00412818
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_0040F890 0_2_0040F890
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_0042397B 0_2_0042397B
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_00411B63 0_2_00411B63
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_0047CBF0 0_2_0047CBF0
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_0044EBBC 0_2_0044EBBC
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_00412C38 0_2_00412C38
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_0044ED9A 0_2_0044ED9A
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_00423EBF 0_2_00423EBF
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_00424F70 0_2_00424F70
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_0041AF0D 0_2_0041AF0D
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_0553E610 0_2_0553E610
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_00409A40 3_2_00409A40
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_00412038 3_2_00412038
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_00427161 3_2_00427161
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_0047E1FA 3_2_0047E1FA
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_004212BE 3_2_004212BE
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_00443390 3_2_00443390
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_00443391 3_2_00443391
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_0041A46B 3_2_0041A46B
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_0041240C 3_2_0041240C
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_00446566 3_2_00446566
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_004045E0 3_2_004045E0
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_0041D750 3_2_0041D750
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_004037E0 3_2_004037E0
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_00427859 3_2_00427859
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_00412818 3_2_00412818
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_0040F890 3_2_0040F890
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_0042397B 3_2_0042397B
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_00411B63 3_2_00411B63
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_0047CBF0 3_2_0047CBF0
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_0044EBBC 3_2_0044EBBC
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_00412C38 3_2_00412C38
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_0044ED9A 3_2_0044ED9A
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_00423EBF 3_2_00423EBF
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_00424F70 3_2_00424F70
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_0041AF0D 3_2_0041AF0D
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_057B15F0 3_2_057B15F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_04B0D580 4_2_04B0D580
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_04AD7F80 4_2_04AD7F80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_04B03780 4_2_04B03780
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_04B0C7F0 4_2_04B0C7F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_04B100D9 4_2_04B100D9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_04B139A3 4_2_04B139A3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_04AD6EAF 4_2_04AD6EAF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_04B05980 4_2_04B05980
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_04AD51EE 4_2_04AD51EE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_04AD7B71 4_2_04AD7B71
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 7_2_0162DC74 7_2_0162DC74
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 7_2_05B4F588 7_2_05B4F588
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 7_2_05B4D570 7_2_05B4D570
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 7_2_05B4E480 7_2_05B4E480
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 7_2_05B4A4E8 7_2_05B4A4E8
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 7_2_05B49788 7_2_05B49788
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 7_2_05B45FF0 7_2_05B45FF0
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 7_2_05B4C7C8 7_2_05B4C7C8
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 7_2_05B4CE08 7_2_05B4CE08
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 7_2_05B4B128 7_2_05B4B128
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 7_2_05B48168 7_2_05B48168
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 7_2_05B4B878 7_2_05B4B878
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 7_2_05B4EBB8 7_2_05B4EBB8
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 7_2_05B4A4D9 7_2_05B4A4D9
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 7_2_05B4E46F 7_2_05B4E46F
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 7_2_05B4C7BA 7_2_05B4C7BA
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 7_2_05B44FD8 7_2_05B44FD8
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 7_2_05B45720 7_2_05B45720
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 7_2_05B47728 7_2_05B47728
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 7_2_05B49778 7_2_05B49778
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 7_2_05B4CE07 7_2_05B4CE07
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 7_2_05B4B118 7_2_05B4B118
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 7_2_05B4815A 7_2_05B4815A
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 7_2_05B418D8 7_2_05B418D8
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 7_2_05B4B869 7_2_05B4B869
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 7_2_05B402E0 7_2_05B402E0
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 7_2_05B402D0 7_2_05B402D0
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Code function: 8_2_014585C8 8_2_014585C8
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Code function: 8_2_014585B7 8_2_014585B7
Source: C:\Windows\System32\alg.exe Code function: 9_2_006A7C00 9_2_006A7C00
Source: C:\Windows\System32\alg.exe Code function: 9_2_006CA810 9_2_006CA810
Source: C:\Windows\System32\alg.exe Code function: 9_2_006D2D40 9_2_006D2D40
Source: C:\Windows\System32\alg.exe Code function: 9_2_006A79F0 9_2_006A79F0
Source: C:\Windows\System32\alg.exe Code function: 9_2_006C92A0 9_2_006C92A0
Source: C:\Windows\System32\alg.exe Code function: 9_2_006CEEB0 9_2_006CEEB0
Source: C:\Windows\System32\alg.exe Code function: 9_2_006C93B0 9_2_006C93B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_046CB490 10_2_046CB490
Enables driver privileges
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Process token adjusted: Load Driver
Enables security privileges
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Process token adjusted: Security
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: String function: 00425210 appears 58 times
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: String function: 00445975 appears 130 times
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: String function: 0041171A appears 74 times
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: String function: 0041832D appears 52 times
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: String function: 004136BC appears 36 times
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: String function: 004092C0 appears 50 times
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: String function: 0041718C appears 90 times
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: String function: 00401B70 appears 46 times
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: String function: 0040E6D0 appears 70 times
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: String function: 0043362D appears 38 times
PE file contains executable resources (Code or Archives)
Source: Acrobat.exe.5.dr Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: chrmstp.exe.5.dr Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: chrmstp.exe.5.dr Static PE information: Resource name: RT_STRING type: PDP-11 pure executable not stripped
Source: 117.0.5938.132_chrome_installer.exe.5.dr Static PE information: Resource name: B7 type: 7-zip archive data, version 0.4
Source: 117.0.5938.132_chrome_installer.exe.5.dr Static PE information: Resource name: BL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 1522998 bytes, 1 file, at 0x2c +A "setup.exe", number 1, 133 datablocks, 0x1203 compression
PE file contains more sections than normal
Source: chrome_pwa_launcher.exe.5.dr Static PE information: Number of sections : 13 > 10
Source: chrmstp.exe.5.dr Static PE information: Number of sections : 14 > 10
Source: elevation_service.exe0.5.dr Static PE information: Number of sections : 12 > 10
Source: elevation_service.exe.5.dr Static PE information: Number of sections : 12 > 10
Sample file is different than original file name gathered from version info
Source: PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe, 00000000.00000003.2074370373.000000000429D000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe
Source: PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe, 00000000.00000003.2074250734.00000000040F3000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe
Source: PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe, 00000003.00000003.2104936203.0000000004193000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe
Source: PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe, 00000003.00000003.2105107664.000000000433D000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe
Spawns drivers
Source: unknown Driver loaded: C:\Windows\System32\drivers\AppVStrm.sys
Uses 32bit PE files
Source: PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Yara signature match
Source: 5.0.microsofts.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 4.2.svchost.exe.5600000.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000004.00000002.2126128048.0000000005600000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe, type: DROPPED Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: armsvc.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ShowAppPickerForPDF.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Acrobat.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: private_browsing.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: updater.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info_x64.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AutoIt3Help.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AutoIt3_x64.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: appvcleaner.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SciTE.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVShNotify.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: IntegratedOffice.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MavInject32.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: OfficeC2RClient.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: officesvcmgr.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: alg.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: chrome_pwa_launcher.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: chrmstp.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AdobeARMHelper.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jaureg.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jucheck.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jusched.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleCrashHandler.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleCrashHandler64.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdate.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVClient.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: DiagnosticsHub.StandardCollector.Service.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: FXSSVC.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateBroker.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateComRegisterShell64.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateCore.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateOnDemand.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 117.0.5938.132_chrome_installer.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jabswitch.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java-rmi.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe0.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javacpl.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe0.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe0.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: maintenanceservice.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msdtc.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msiexec.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe0.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jjs.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jp2launcher.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: armsvc.exe.4.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ShowAppPickerForPDF.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Acrobat.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: private_browsing.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: updater.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info_x64.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AutoIt3Help.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AutoIt3_x64.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: appvcleaner.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SciTE.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVShNotify.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: IntegratedOffice.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MavInject32.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: OfficeC2RClient.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: officesvcmgr.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: alg.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: chrome_pwa_launcher.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: chrmstp.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AdobeARMHelper.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jaureg.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jucheck.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jusched.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleCrashHandler.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleCrashHandler64.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdate.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVClient.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: DiagnosticsHub.StandardCollector.Service.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: FXSSVC.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateBroker.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateComRegisterShell64.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateCore.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateOnDemand.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 117.0.5938.132_chrome_installer.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jabswitch.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java-rmi.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe0.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javacpl.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe0.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe0.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: maintenanceservice.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msdtc.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msiexec.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe0.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jjs.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jp2launcher.exe.5.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Native_Redline_BTC.exe.4.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Native_Redline_BTC.exe.4.dr, WP6RZJql8gZrNhVA9v.cs Cryptographic APIs: 'CreateDecryptor'
Source: Native_Redline_BTC.exe.4.dr, WP6RZJql8gZrNhVA9v.cs Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.svchost.exe.6000000.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.svchost.exe.6000000.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs Cryptographic APIs: 'CreateDecryptor'
Source: classification engine Classification label: mal100.spre.troj.spyw.expl.evad.winEXE@49/171@148/22
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_0044AF5C GetLastError,FormatMessageW, 0_2_0044AF5C
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle, 0_2_00464422
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 0_2_004364AA
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle, 3_2_00464422
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 3_2_004364AA
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_0045D517 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode, 0_2_0045D517
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_0043701F CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,__wcsicoll,CloseHandle, 0_2_0043701F
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_0047A999 OleInitialize,CLSIDFromProgID,CoCreateInstance,CoInitializeSecurity,_memset,_wcslen,_memset,CoCreateInstanceEx,CoSetProxyBlanket, 0_2_0047A999
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_0043614F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx, 0_2_0043614F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_04AFCBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW, 4_2_04AFCBD0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe File created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Roaming\97dd988331e417df.bin Jump to behavior
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Mutant created: \Sessions\1\BaseNamedObjects\kbedaSzAAOYDRDgN
Source: C:\Windows\SysWOW64\svchost.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-97dd988331e417df73779169-b
Source: C:\Windows\SysWOW64\svchost.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-97dd988331e417df-inf
Source: C:\Windows\System32\alg.exe Mutant created: \BaseNamedObjects\Global\Multiarch.m0yv-97dd988331e417df9ea72c54-b
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6768:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7304:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1276:120:WilError_03
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe File created: C:\Users\user\AppData\Local\Temp\wainage Jump to behavior
Source: PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\build.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\build.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\build.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\build.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: build.exe, 00000007.00000002.2559158756.00000000035E6000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000007.00000002.2559158756.0000000003553000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000007.00000002.2559158756.000000000353D000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000007.00000002.2559158756.00000000035D1000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000007.00000002.2559158756.00000000034AA000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000007.00000002.2559158756.00000000034C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe ReversingLabs: Detection: 31%
Source: PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Virustotal: Detection: 34%
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe File read: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Evasive API call chain: __getmainargs,DecisionNodes,exit
Source: unknown Process created: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe "C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe"
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe"
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Process created: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe "C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe"
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe"
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Users\user\AppData\Local\Temp\microsofts.exe "C:\Users\user\AppData\Local\Temp\microsofts.exe"
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe "C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe"
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: unknown Process created: C:\Windows\System32\alg.exe C:\Windows\System32\alg.exe
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 04:12 /du 23:59 /sc daily /ri 1 /f
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpD5D5.tmp.cmd""
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: unknown Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe
Source: unknown Process created: C:\Windows\System32\AppVClient.exe C:\Windows\system32\AppVClient.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown Process created: C:\Windows\System32\FXSSVC.exe C:\Windows\system32\fxssvc.exe
Source: unknown Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
Source: unknown Process created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
Source: unknown Process created: C:\Windows\System32\msdtc.exe C:\Windows\System32\msdtc.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Source: unknown Process created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
Source: unknown Process created: C:\Windows\SysWOW64\perfhost.exe C:\Windows\SysWow64\perfhost.exe
Source: unknown Process created: C:\Windows\System32\Locator.exe C:\Windows\system32\locator.exe
Source: unknown Process created: C:\Windows\System32\SensorDataService.exe C:\Windows\System32\SensorDataService.exe
Source: unknown Process created: C:\Windows\System32\snmptrap.exe C:\Windows\System32\snmptrap.exe
Source: unknown Process created: C:\Windows\System32\Spectrum.exe C:\Windows\system32\spectrum.exe
Source: unknown Process created: C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Windows\System32\OpenSSH\ssh-agent.exe
Source: unknown Process created: C:\Windows\System32\TieringEngineService.exe C:\Windows\system32\TieringEngineService.exe
Source: unknown Process created: C:\Windows\System32\AgentService.exe C:\Windows\system32\AgentService.exe
Source: unknown Process created: C:\Windows\System32\vds.exe C:\Windows\System32\vds.exe
Source: unknown Process created: C:\Windows\System32\wbengine.exe "C:\Windows\system32\wbengine.exe"
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe" Jump to behavior
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Process created: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe "C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe" Jump to behavior
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe" Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Users\user\AppData\Local\Temp\microsofts.exe "C:\Users\user\AppData\Local\Temp\microsofts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe "C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 04:12 /du 23:59 /sc daily /ri 1 /f
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpD5D5.tmp.cmd""
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: linkinfo.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: ntshrui.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: cscapi.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\alg.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\alg.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\alg.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\alg.exe Section loaded: mpr.dll
Source: C:\Windows\System32\alg.exe Section loaded: secur32.dll
Source: C:\Windows\System32\alg.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\alg.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\alg.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\alg.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\alg.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\alg.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\alg.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\alg.exe Section loaded: webio.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: appvpolicy.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: userenv.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: wtsapi32.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: netapi32.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: secur32.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: wininet.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: netutils.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: samcli.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: logoncli.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: mpr.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: appmanagementconfiguration.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: version.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: tapi32.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: credui.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: fxstiff.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: mpr.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: secur32.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: sppc.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: fxsresm.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: ualapi.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: sppc.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: sppc.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: wldp.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: profapi.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: sppc.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Section loaded: mpr.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Section loaded: secur32.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Section loaded: version.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Section loaded: mpr.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Section loaded: secur32.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: msdtctm.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: msdtcprx.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: msdtclog.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: mtxclu.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: winmm.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: clusapi.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: xolehlp.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: ktmw32.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: resutils.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: mpr.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: secur32.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: comres.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: msdtcvsp1res.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: mtxoci.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: oci.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: cscapi.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: netutils.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: firewallapi.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: fwbase.dll
Source: C:\Windows\System32\msdtc.exe Section loaded: fwpolicyiomgr.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe Section loaded: hid.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe Section loaded: dxgi.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe Section loaded: devobj.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe Section loaded: mpr.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe Section loaded: secur32.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\Locator.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\Locator.exe Section loaded: mpr.dll
Source: C:\Windows\System32\Locator.exe Section loaded: secur32.dll
Source: C:\Windows\System32\Locator.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\Locator.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\Locator.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\Locator.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\SensorDataService.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\SensorDataService.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\SensorDataService.exe Section loaded: mpr.dll
Source: C:\Windows\System32\SensorDataService.exe Section loaded: secur32.dll
Source: C:\Windows\System32\SensorDataService.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\SensorDataService.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\SensorDataService.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\SensorDataService.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\SensorDataService.exe Section loaded: mfplat.dll
Source: C:\Windows\System32\SensorDataService.exe Section loaded: rtworkq.dll
Source: C:\Windows\System32\SensorDataService.exe Section loaded: windows.devices.perception.dll
Source: C:\Windows\System32\SensorDataService.exe Section loaded: mediafoundation.defaultperceptionprovider.dll
Source: C:\Windows\System32\SensorDataService.exe Section loaded: windows.devices.enumeration.dll
Source: C:\Windows\System32\SensorDataService.exe Section loaded: propsys.dll
Source: C:\Windows\System32\SensorDataService.exe Section loaded: structuredquery.dll
Source: C:\Windows\System32\SensorDataService.exe Section loaded: profapi.dll
Source: C:\Windows\System32\SensorDataService.exe Section loaded: windows.globalization.dll
Source: C:\Windows\System32\SensorDataService.exe Section loaded: bcp47langs.dll
Source: C:\Windows\System32\SensorDataService.exe Section loaded: bcp47mrm.dll
Source: C:\Windows\System32\SensorDataService.exe Section loaded: icu.dll
Source: C:\Windows\System32\SensorDataService.exe Section loaded: mswb7.dll
Source: C:\Windows\System32\SensorDataService.exe Section loaded: devdispitemprovider.dll
Source: C:\Windows\System32\snmptrap.exe Section loaded: winhttp.dll
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Static file information: File size 6536429 > 1048576
Source: Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: microsofts.exe, 00000005.00000003.2814742901.00000000008D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: svchost.exe, 00000004.00000003.2117161798.0000000005820000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: microsofts.exe, 00000005.00000003.2894889964.00000000008D0000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000005.00000003.2906588524.0000000000590000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000005.00000003.2891835295.00000000008D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: msiexec.pdb source: microsofts.exe, 00000005.00000003.2261668273.0000000007250000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: microsofts.exe, 00000005.00000003.2480516166.0000000006940000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ssh-agent.pdb source: microsofts.exe, 00000005.00000003.2334730630.0000000007250000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: AppVClient.pdb source: microsofts.exe, 00000005.00000003.2165441366.0000000005000000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: microsofts.exe, 00000005.00000003.2617403766.0000000006930000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: microsofts.exe, 00000005.00000003.2617403766.0000000006930000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: msiexec.pdbGCTL source: microsofts.exe, 00000005.00000003.2261668273.0000000007250000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ADelRCP_Exec.pdb source: microsofts.exe, 00000005.00000003.2640650319.0000000006930000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: mavinject32.pdbGCTL source: microsofts.exe, 00000005.00000003.2954719715.0000000004F90000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000005.00000003.2958576638.00000000008C0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: PresentationFontCache.pdb source: microsofts.exe, 00000005.00000003.2212014906.0000000006960000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: PerceptionSimulationService.pdb source: microsofts.exe, 00000005.00000003.2272521083.0000000007250000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: _.pdb source: microsofts.exe, 00000005.00000003.2119948725.00000000006E3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe, 00000000.00000003.2074787470.0000000004170000.00000004.00001000.00020000.00000000.sdmp, PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe, 00000000.00000003.2074250734.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe, 00000003.00000003.2102593621.0000000003DF0000.00000004.00001000.00020000.00000000.sdmp, PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe, 00000003.00000003.2103800748.0000000003F90000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: microsofts.exe, 00000005.00000003.2523798561.0000000006930000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: MsSense.pdbGCTL source: microsofts.exe, 00000005.00000003.2299207011.0000000007250000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdbAAAGCTL source: microsofts.exe, 00000005.00000003.2806405530.00000000008D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: MsSense.pdb source: microsofts.exe, 00000005.00000003.2299207011.0000000007250000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: microsofts.exe, 00000005.00000003.2940771463.00000000008C0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: microsofts.exe, 00000005.00000003.2837407835.0000000000590000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000005.00000003.2825064173.00000000008D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: WmiApSrv.pdbGCTL source: microsofts.exe, 00000005.00000003.2391093241.0000000007250000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: microsofts.exe, 00000005.00000003.2675621901.0000000006930000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Acrobat_SL.pdb((( source: microsofts.exe, 00000005.00000003.2494651732.0000000006940000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: locator.pdb source: microsofts.exe, 00000005.00000003.2289813880.0000000007250000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000005.00000003.2295639551.0000000006910000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: microsofts.exe, 00000005.00000003.2186596905.0000000006950000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ADelRCP_Exec.pdbCC9 source: microsofts.exe, 00000005.00000003.2640650319.0000000006930000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdb source: microsofts.exe, 00000005.00000003.2505449143.0000000006940000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Acrobat_SL.pdb source: microsofts.exe, 00000005.00000003.2494651732.0000000006940000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: microsofts.exe, 00000005.00000003.2894889964.00000000008D0000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000005.00000003.2906588524.0000000000590000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000005.00000003.2891835295.00000000008D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: microsofts.exe, 00000005.00000003.2523798561.0000000006930000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: microsofts.exe, 00000005.00000003.2704629556.0000000006930000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: microsofts.exe, 00000005.00000003.2480516166.0000000006940000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: mavinject32.pdb source: microsofts.exe, 00000005.00000003.2954719715.0000000004F90000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000005.00000003.2958576638.00000000008C0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: maintenanceservice.pdb source: microsofts.exe, 00000005.00000003.2245227049.0000000007250000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 64BitMAPIBroker.pdb source: microsofts.exe, 00000005.00000003.2787951511.00000000008D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: PerceptionSimulationService.pdbGCTL source: microsofts.exe, 00000005.00000003.2272521083.0000000007250000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: snmptrap.pdbGCTL source: microsofts.exe, 00000005.00000003.2314590976.0000000007250000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: msdtcexe.pdbGCTL source: microsofts.exe, 00000005.00000003.2250623061.0000000007250000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: microsofts.exe, 00000005.00000003.2940771463.00000000008C0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: PerfHost.pdbGCTL source: microsofts.exe, 00000005.00000003.2284066039.0000000007250000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000005.00000003.2288206191.0000000006910000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000005.00000003.2282909180.0000000007250000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: microsofts.exe, 00000005.00000003.2767066626.00000000008D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: microsofts.exe, 00000005.00000003.2675621901.0000000006930000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: AppVClient.pdbGCTL source: microsofts.exe, 00000005.00000003.2165441366.0000000005000000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: microsofts.exe, 00000005.00000003.2814742901.00000000008D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: microsofts.exe, 00000005.00000003.2704629556.0000000006930000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: microsofts.exe, 00000005.00000003.2773806278.00000000008D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: PerfHost.pdb source: microsofts.exe, 00000005.00000003.2284066039.0000000007250000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000005.00000003.2288206191.0000000006910000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000005.00000003.2282909180.0000000007250000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdb source: microsofts.exe, 00000005.00000003.2806405530.00000000008D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: maintenanceservice.pdb` source: microsofts.exe, 00000005.00000003.2245227049.0000000007250000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: microsofts.exe, 00000005.00000003.2837407835.0000000000590000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000005.00000003.2825064173.00000000008D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe, 00000000.00000003.2074787470.0000000004170000.00000004.00001000.00020000.00000000.sdmp, PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe, 00000000.00000003.2074250734.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe, 00000003.00000003.2102593621.0000000003DF0000.00000004.00001000.00020000.00000000.sdmp, PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe, 00000003.00000003.2103800748.0000000003F90000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: TieringEngineService.pdb source: microsofts.exe, 00000005.00000003.2343789466.0000000007250000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: TieringEngineService.pdbGCTL source: microsofts.exe, 00000005.00000003.2343789466.0000000007250000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: WmiApSrv.pdb source: microsofts.exe, 00000005.00000003.2391093241.0000000007250000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: microsofts.exe, 00000005.00000003.2718653783.0000000000590000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ALG.pdb source: microsofts.exe, 00000005.00000003.2119381762.00000000050D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: msdtcexe.pdb source: microsofts.exe, 00000005.00000003.2250623061.0000000007250000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: microsofts.exe, 00000005.00000003.2186596905.0000000006950000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ALG.pdbGCTL source: microsofts.exe, 00000005.00000003.2119381762.00000000050D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: microsofts.exe, 00000005.00000003.2212014906.0000000006960000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: locator.pdbGCTL source: microsofts.exe, 00000005.00000003.2289813880.0000000007250000.00000004.00001000.00020000.00000000.sdmp, microsofts.exe, 00000005.00000003.2295639551.0000000006910000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: microsofts.exe, 00000005.00000003.2505449143.0000000006940000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ssh-agent.pdbX source: microsofts.exe, 00000005.00000003.2334730630.0000000007250000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: AppVShNotify.pdb source: microsofts.exe, 00000005.00000003.2932313089.00000000008D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: snmptrap.pdb source: microsofts.exe, 00000005.00000003.2314590976.0000000007250000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: microsofts.exe, 00000005.00000003.2773806278.00000000008D0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: microsofts.exe, 00000005.00000003.2718653783.0000000000590000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: AppVShNotify.pdbGCTL source: microsofts.exe, 00000005.00000003.2932313089.00000000008D0000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: Native_Redline_BTC.exe.4.dr, WP6RZJql8gZrNhVA9v.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 4.2.svchost.exe.6000000.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Binary contains a suspicious time stamp
Source: appvcleaner.exe.5.dr Static PE information: 0xBEAF7172 [Mon May 18 10:01:22 2071 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_0040EB70 LoadLibraryA,GetProcAddress, 0_2_0040EB70
PE file contains an invalid checksum
Source: PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Static PE information: real checksum: 0xa2135 should be: 0x6402d4
Source: armsvc.exe.4.dr Static PE information: real checksum: 0x32318 should be: 0x13ed32
Source: Native_Redline_BTC.exe.4.dr Static PE information: real checksum: 0x0 should be: 0x9799b
PE file contains sections with non-standard names
Source: armsvc.exe.4.dr Static PE information: section name: .didat
Source: Acrobat.exe.5.dr Static PE information: section name: .didat
Source: private_browsing.exe.5.dr Static PE information: section name: .00cfg
Source: private_browsing.exe.5.dr Static PE information: section name: .voltbl
Source: updater.exe.5.dr Static PE information: section name: .00cfg
Source: updater.exe.5.dr Static PE information: section name: .voltbl
Source: updater.exe.5.dr Static PE information: section name: _RDATA
Source: setup.exe.5.dr Static PE information: section name: .didat
Source: setup.exe.5.dr Static PE information: section name: _RDATA
Source: IntegratedOffice.exe.5.dr Static PE information: section name: .didat
Source: IntegratedOffice.exe.5.dr Static PE information: section name: _RDATA
Source: OfficeC2RClient.exe.5.dr Static PE information: section name: .didat
Source: OfficeC2RClient.exe.5.dr Static PE information: section name: .detourc
Source: officesvcmgr.exe.5.dr Static PE information: section name: .didat
Source: alg.exe.5.dr Static PE information: section name: .didat
Source: chrome_pwa_launcher.exe.5.dr Static PE information: section name: .00cfg
Source: chrome_pwa_launcher.exe.5.dr Static PE information: section name: .gxfg
Source: chrome_pwa_launcher.exe.5.dr Static PE information: section name: .retplne
Source: chrome_pwa_launcher.exe.5.dr Static PE information: section name: LZMADEC
Source: chrome_pwa_launcher.exe.5.dr Static PE information: section name: _RDATA
Source: chrome_pwa_launcher.exe.5.dr Static PE information: section name: malloc_h
Source: chrmstp.exe.5.dr Static PE information: section name: .00cfg
Source: chrmstp.exe.5.dr Static PE information: section name: .gxfg
Source: chrmstp.exe.5.dr Static PE information: section name: .retplne
Source: chrmstp.exe.5.dr Static PE information: section name: CPADinfo
Source: chrmstp.exe.5.dr Static PE information: section name: LZMADEC
Source: chrmstp.exe.5.dr Static PE information: section name: _RDATA
Source: chrmstp.exe.5.dr Static PE information: section name: malloc_h
Source: GoogleCrashHandler64.exe.5.dr Static PE information: section name: _RDATA
Source: GoogleCrashHandler64.exe.5.dr Static PE information: section name: .gxfg
Source: GoogleCrashHandler64.exe.5.dr Static PE information: section name: .gehcont
Source: FXSSVC.exe.5.dr Static PE information: section name: .didat
Source: GoogleUpdateComRegisterShell64.exe.5.dr Static PE information: section name: _RDATA
Source: GoogleUpdateComRegisterShell64.exe.5.dr Static PE information: section name: .gxfg
Source: GoogleUpdateComRegisterShell64.exe.5.dr Static PE information: section name: .gehcont
Source: 117.0.5938.132_chrome_installer.exe.5.dr Static PE information: section name: .00cfg
Source: 117.0.5938.132_chrome_installer.exe.5.dr Static PE information: section name: .retplne
Source: elevation_service.exe.5.dr Static PE information: section name: .00cfg
Source: elevation_service.exe.5.dr Static PE information: section name: .gxfg
Source: elevation_service.exe.5.dr Static PE information: section name: .retplne
Source: elevation_service.exe.5.dr Static PE information: section name: _RDATA
Source: elevation_service.exe.5.dr Static PE information: section name: malloc_h
Source: elevation_service.exe0.5.dr Static PE information: section name: .00cfg
Source: elevation_service.exe0.5.dr Static PE information: section name: .gxfg
Source: elevation_service.exe0.5.dr Static PE information: section name: .retplne
Source: elevation_service.exe0.5.dr Static PE information: section name: _RDATA
Source: elevation_service.exe0.5.dr Static PE information: section name: malloc_h
Source: maintenanceservice.exe.5.dr Static PE information: section name: .00cfg
Source: maintenanceservice.exe.5.dr Static PE information: section name: .voltbl
Source: maintenanceservice.exe.5.dr Static PE information: section name: _RDATA
Source: msdtc.exe.5.dr Static PE information: section name: .didat
Source: msiexec.exe.5.dr Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_004171D1 push ecx; ret 0_2_004171E4
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_004171D1 push ecx; ret 3_2_004171E4
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_0049671B pushad ; iretd 3_2_0049671D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_00493419 push edx; iretd 4_2_0049341B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_00492A2E push edi; iretd 4_2_00492A38
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_00491C8C push cs; iretd 4_2_00491C8D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_00491B79 push FFFFFF87h; retf 4_2_00491B7C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_00495B0C pushfd ; iretd 4_2_00495B0D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_04AF7DF0 push 04AF7D4Bh; ret 4_2_04AF7D80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_04AF7DF0 push 04AF7DD7h; ret 4_2_04AF7D9F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_04AF7DF0 push 04AF7D5Fh; ret 4_2_04AF7DB3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_04AF7DF0 push 04AF81E6h; ret 4_2_04AF7E2D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_04AF7DF0 push 04AF7FCCh; ret 4_2_04AF82BB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_04AF7DF0 push 04AF8468h; ret 4_2_04AF852D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_04AF8550 push 04AF852Eh; ret 4_2_04AF7F3A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_04AF8550 push 04AF8514h; ret 4_2_04AF7F66
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_04AF8550 push 04AF7E66h; ret 4_2_04AF8057
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_04AF8550 push 04AF817Ah; ret 4_2_04AF808B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_04AF8550 push 04AF82E5h; ret 4_2_04AF80D9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_04AF8550 push 04AF826Ah; ret 4_2_04AF819E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_04AF8550 push 04AF849Ch; ret 4_2_04AF81E4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_04AF8550 push 04AF805Ch; ret 4_2_04AF8255
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_04AF8550 push 04AF8321h; ret 4_2_04AF82E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_04AF8550 push 04AF7FBFh; ret 4_2_04AF831F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_04AF8550 push 04AF7FA8h; ret 4_2_04AF834C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_04AF8550 push 04AF84BAh; ret 4_2_04AF83E2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_04AF8550 push 04AF8426h; ret 4_2_04AF84D8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_04AF8550 push 04AF8075h; ret 4_2_04AF84FD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_04AF8550 push 04AF808Ch; ret 4_2_04AF8512
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_04AF8550 push 04AF8B6Fh; ret 4_2_04AF8596
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_04AF8550 push 04AF8E94h; ret 4_2_04AF85C9
Source: Native_Redline_BTC.exe.4.dr Static PE information: section name: .text entropy: 7.954598996291746
Source: Acrobat.exe.5.dr Static PE information: section name: .reloc entropy: 7.8576184835751715
Source: Aut2exe.exe.5.dr Static PE information: section name: .rsrc entropy: 7.800635454777948
Source: Aut2exe_x64.exe.5.dr Static PE information: section name: .rsrc entropy: 7.800488144393949
Source: setup.exe.5.dr Static PE information: section name: .rsrc entropy: 7.6446905292307115
Source: AutoIt3_x64.exe.5.dr Static PE information: section name: .reloc entropy: 7.943916918732901
Source: appvcleaner.exe.5.dr Static PE information: section name: .reloc entropy: 7.9356357834661635
Source: SciTE.exe.5.dr Static PE information: section name: .reloc entropy: 7.912295186276781
Source: IntegratedOffice.exe.5.dr Static PE information: section name: .reloc entropy: 7.926760749697762
Source: OfficeC2RClient.exe.5.dr Static PE information: section name: .reloc entropy: 7.71655749372354
Source: officesvcmgr.exe.5.dr Static PE information: section name: .reloc entropy: 7.937217171394089
Source: chrome_pwa_launcher.exe.5.dr Static PE information: section name: .reloc entropy: 7.9405684282494935
Source: chrmstp.exe.5.dr Static PE information: section name: .reloc entropy: 7.941019211695992
Source: jucheck.exe.5.dr Static PE information: section name: .reloc entropy: 7.9310613102351475
Source: jusched.exe.5.dr Static PE information: section name: .reloc entropy: 7.936029055064351
Source: AppVClient.exe.5.dr Static PE information: section name: .reloc entropy: 7.936511844127285
Source: FXSSVC.exe.5.dr Static PE information: section name: .reloc entropy: 7.942261525543949
Source: 117.0.5938.132_chrome_installer.exe.5.dr Static PE information: section name: .reloc entropy: 7.934753535759687
Source: elevation_service.exe.5.dr Static PE information: section name: .reloc entropy: 7.9439315647986515
Source: elevation_service.exe0.5.dr Static PE information: section name: .reloc entropy: 7.945943261592593
Source: Native_Redline_BTC.exe.4.dr, WP6RZJql8gZrNhVA9v.cs High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'vBXN2xV7mCTjW', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 4.2.svchost.exe.6000000.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'vBXN2xV7mCTjW', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Persistence and Installation Behavior
barindex
Creates files in the system32 config directory
Source: C:\Windows\System32\alg.exe File created: C:\Windows\system32\config\systemprofile\AppData\Roaming\97dd988331e417df.bin
Drops executable to a common third party application directory
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Infects executable files (exe, dll, sys, html)
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\wbem\WmiApSrv.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\vds.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\alg.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\7-Zip\7zFM.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\snmptrap.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\Spectrum.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Windows Media Player\wmpnetwk.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\Locator.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\7-Zip\7z.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\AppVClient.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\SysWOW64\perfhost.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\7-Zip\7zG.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\msiexec.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\VSSVC.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\wbengine.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\SearchIndexer.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\TieringEngineService.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Mozilla Firefox\firefox.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Mozilla Firefox\updater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\AgentService.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\7-Zip\Uninstall.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\FXSSVC.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\OpenSSH\ssh-agent.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\SensorDataService.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Windows\System32\msdtc.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe System file written: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to behavior
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\vds.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\microsofts.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\snmptrap.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\Spectrum.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Windows Media Player\wmpnetwk.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\Locator.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\7-Zip\7z.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\AppVClient.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\SysWOW64\perfhost.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\7-Zip\7zG.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\msiexec.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe File created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\TieringEngineService.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Mozilla Firefox\firefox.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Mozilla Firefox\updater.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\AutoIt3\Au3Check.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\7-Zip\Uninstall.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\FXSSVC.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\SensorDataService.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\msdtc.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\wbem\WmiApSrv.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\alg.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\7-Zip\7zFM.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe File created: C:\Users\user\AppData\Local\Temp\server_BTC.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\VSSVC.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\wbengine.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\SearchIndexer.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\AutoIt3\Au3Info.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\AgentService.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\OpenSSH\ssh-agent.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe File created: C:\Users\user\AppData\Local\Temp\build.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\snmptrap.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\Spectrum.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\Locator.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\AgentService.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\VSSVC.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\wbengine.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\wbem\WmiApSrv.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\SearchIndexer.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\AppVClient.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\FXSSVC.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\TieringEngineService.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\vds.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\OpenSSH\ssh-agent.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\alg.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\SysWOW64\perfhost.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\msiexec.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\SensorDataService.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\msdtc.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 04:12 /du 23:59 /sc daily /ri 1 /f
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk
Stores files to the Windows start menu directory
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_04AFCBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW, 4_2_04AFCBD0

Hooking and other Techniques for Hiding and Protection
barindex
Creates files inside the volume driver (system volume information)
Source: C:\Windows\System32\TieringEngineService.exe File created: C:\System Volume Information\Heat\
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 0_2_004772DE
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_004375B0
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 3_2_004772DE
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, 3_2_004375B0
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Contains functionality to behave differently if execute on a Russian/Kazak computer
Source: C:\Windows\System32\alg.exe Code function: 9_2_006A52A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 9_2_006A52A0
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_00444078 0_2_00444078
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_00444078 3_2_00444078
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\build.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\build.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe API/Special instruction interceptor: Address: 553E234
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe API/Special instruction interceptor: Address: 57B1214
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Memory allocated: 2BE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Memory allocated: 2E20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Memory allocated: 2C40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Memory allocated: 8E0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Memory allocated: 1A300000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\build.exe Memory allocated: 1580000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\build.exe Memory allocated: 2FF0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\build.exe Memory allocated: 1580000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Memory allocated: 1250000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Memory allocated: 2E90000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Memory allocated: 4E90000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Memory allocated: 1180000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Memory allocated: 2A90000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Memory allocated: 1280000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Memory allocated: 2E80000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Memory allocated: 3050000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Memory allocated: 5050000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Memory allocated: 18A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Memory allocated: 3130000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Memory allocated: 5130000 memory reserve | memory write watch
Contains functionality to detect virtual machines (SLDT)
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Code function: 6_2_00007FF848E84660 sldt word ptr [eax] 6_2_00007FF848E84660
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 1200000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 1199870 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 1199765 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 1199654 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 1199531 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\build.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Window / User API: threadDelayed 3864 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Window / User API: threadDelayed 5890 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Window / User API: threadDelayed 4164
Source: C:\Users\user\AppData\Local\Temp\build.exe Window / User API: threadDelayed 5628
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8016
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1593
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Window / User API: threadDelayed 6008
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Window / User API: threadDelayed 3782
Source: C:\Windows\System32\msdtc.exe Window / User API: threadDelayed 487
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Windows Media Player\wmpnetwk.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\7-Zip\7z.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\7-Zip\7zG.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Windows\System32\msiexec.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\firefox.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\updater.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Windows\System32\wbem\WmiApSrv.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\7-Zip\7zFM.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Windows\System32\VSSVC.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Windows\System32\SearchIndexer.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe Jump to dropped file
Found evasive API chain checking for process token information
Source: C:\Windows\System32\alg.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe API coverage: 3.2 %
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe API coverage: 3.2 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 7404 Thread sleep time: -30437127721620741s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 7404 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 7404 Thread sleep time: -99859s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 7404 Thread sleep time: -99749s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 7404 Thread sleep time: -99637s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 7404 Thread sleep time: -99510s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 7404 Thread sleep time: -99377s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 7404 Thread sleep time: -99212s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 7404 Thread sleep time: -99089s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 7404 Thread sleep time: -98953s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 7404 Thread sleep time: -98801s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 7404 Thread sleep time: -98685s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 7404 Thread sleep time: -98562s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 7404 Thread sleep time: -98451s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 7404 Thread sleep time: -98328s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 7404 Thread sleep time: -98217s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 7404 Thread sleep time: -98093s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 7404 Thread sleep time: -97983s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 7404 Thread sleep time: -97842s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 7404 Thread sleep time: -97690s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 7404 Thread sleep time: -97445s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 7404 Thread sleep time: -97324s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 7404 Thread sleep time: -97203s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 7404 Thread sleep time: -97088s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 7404 Thread sleep time: -99875s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 7404 Thread sleep time: -99764s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 7404 Thread sleep time: -99655s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 7404 Thread sleep time: -99546s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 7404 Thread sleep time: -99431s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 7404 Thread sleep time: -99312s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 7404 Thread sleep time: -99202s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 7404 Thread sleep time: -99093s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 7404 Thread sleep time: -98984s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 7404 Thread sleep time: -98875s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 7404 Thread sleep time: -98765s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 7404 Thread sleep time: -98656s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 7404 Thread sleep time: -98547s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 7404 Thread sleep time: -98437s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 7404 Thread sleep time: -98182s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 7404 Thread sleep time: -98075s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 7404 Thread sleep time: -97890s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 7404 Thread sleep time: -97762s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 7404 Thread sleep time: -97653s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 7404 Thread sleep time: -97541s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 7404 Thread sleep time: -97437s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 7404 Thread sleep time: -97312s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 7404 Thread sleep time: -97094s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 7404 Thread sleep time: -96984s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 7404 Thread sleep time: -1200000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 7404 Thread sleep time: -1199870s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 7404 Thread sleep time: -1199765s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 7404 Thread sleep time: -1199654s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe TID: 7404 Thread sleep time: -1199531s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe TID: 6204 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 2668 Thread sleep time: -29514790517935264s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe TID: 3620 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\alg.exe TID: 4668 Thread sleep time: -90000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7260 Thread sleep count: 8016 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7248 Thread sleep count: 1593 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7368 Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 7456 Thread sleep time: -360480000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 7456 Thread sleep time: -226920000s >= -30000s
Source: C:\Windows\SysWOW64\timeout.exe TID: 7352 Thread sleep count: 41 > 30
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 7432 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\msdtc.exe TID: 5356 Thread sleep count: 487 > 30
Source: C:\Windows\System32\msdtc.exe TID: 5356 Thread sleep time: -48700s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe TID: 5452 Thread sleep time: -922337203685477s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\build.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_00452126
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose, 0_2_0045C999
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00436ADE
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00434BEE
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_0045DD7C FindFirstFileW,FindClose, 0_2_0045DD7C
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 0_2_0044BD29
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle, 0_2_00436D2D
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00442E1F
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_00475FE5
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_0044BF8D
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose, 3_2_00452126
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_0045C999 FindFirstFileW,FindNextFileW,FindClose, 3_2_0045C999
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose, 3_2_00436ADE
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 3_2_00434BEE
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_0045DD7C FindFirstFileW,FindClose, 3_2_0045DD7C
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 3_2_0044BD29
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle, 3_2_00436D2D
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 3_2_00442E1F
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 3_2_00475FE5
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, 3_2_0044BF8D
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_0040E470
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 99859 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 99749 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 99637 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 99510 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 99377 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 99212 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 99089 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 98953 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 98801 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 98685 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 98562 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 98451 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 98328 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 98217 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 98093 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 97983 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 97842 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 97690 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 97445 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 97324 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 97203 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 97088 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 99875 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 99764 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 99655 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 99546 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 99431 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 99312 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 99202 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 99093 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 98984 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 98875 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 98765 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 98656 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 98547 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 98437 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 98182 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 98075 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 97890 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 97762 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 97653 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 97541 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 97437 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 97312 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 97094 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 96984 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 1200000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 1199870 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 1199765 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 1199654 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Thread delayed: delay time: 1199531 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\build.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\Cache\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File opened: C:\Documents and Settings\user\AppData\Local\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\ Jump to behavior
Source: build.exe, 00000007.00000002.2559158756.00000000032A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: build.exe, 00000007.00000002.2559158756.00000000032A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: Spectrum.exe, 00000025.00000003.2335866500.000000000053D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: TSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: build.exe, 00000007.00000002.2559158756.00000000032A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Spectrum.exe, 00000025.00000003.2335866500.000000000053D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: #TSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: Spectrum.exe, 00000025.00000003.2335525609.0000000000524000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: SensorDataService.exe, 00000023.00000003.2314646412.0000000000644000.00000004.00000020.00020000.00000000.sdmp, SensorDataService.exe, 00000023.00000003.2314901954.0000000000644000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Drivertion Infrastructure Driver
Source: Native_Redline_BTC.exe, 00000006.00000002.2129851601.000000000055E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: alg.exe, 00000009.00000003.3298047259.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2587369712.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2725793461.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2641781426.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2605900173.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2464247908.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2576145561.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3259678244.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2560073777.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2177000744.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2621710164.000000000056E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: SensorDataService.exe, 00000023.00000002.2422375544.0000000000630000.00000004.00000020.00020000.00000000.sdmp, SensorDataService.exe, 00000023.00000003.2418758943.000000000062F000.00000004.00000020.00020000.00000000.sdmp, SensorDataService.exe, 00000023.00000003.2418497581.000000000061C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 0 GMicrosoft Hyper-V Generation Countersc%;Microsoft Hyper-V Generation Counter
Source: SensorDataService.exe, 00000023.00000003.2314646412.0000000000635000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 00000025.00000003.2335525609.0000000000524000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @wgencounter.inf,%gencounter.devicedesc%;Microsoft Hyper-V Generation Counter
Source: Native_Redline_BTC.exe, 00000006.00000002.2129851601.000000000055E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: I-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: build.exe, 00000007.00000002.2559158756.00000000032A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: SensorDataService.exe, 00000023.00000003.2418257754.000000000064F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: eSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: build.exe, 00000007.00000002.2559158756.00000000032A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: alg.exe, 00000009.00000002.3323934646.0000000000503000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@cW%SystemRoot%\system32\mswsock.dll
Source: build.exe, 00000007.00000002.2559158756.00000000032A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: Spectrum.exe, 00000025.00000003.2335525609.0000000000524000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: build.exe, 00000007.00000002.2559158756.00000000032A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: build.exe, 00000007.00000002.2559158756.00000000032A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: Spectrum.exe, 00000025.00000003.2335525609.0000000000524000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 4NECVMWar VMware SATA CD00
Source: snmptrap.exe, 00000024.00000002.3323126033.0000000000584000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll0
Source: SensorDataService.exe, 00000023.00000003.2418257754.000000000064F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: NECVMWar VMware SATA CD00
Source: SensorDataService.exe, 00000023.00000003.2418257754.000000000064F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: build.exe, 00000007.00000002.2559158756.00000000032A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: build.exe, 00000007.00000002.2559158756.00000000032A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: Spectrum.exe, 00000025.00000003.2335866500.000000000053D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware Virtual disk SCSI Disk Devicer%T#T
Source: build.exe, 00000007.00000002.2559158756.00000000032A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: build.exe, 00000007.00000002.2559158756.00000000032A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: build.exe, 00000007.00000002.2559158756.00000000032A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: build.exe, 00000007.00000002.2559158756.00000000032A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: build.exe, 00000007.00000002.2559158756.00000000032A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: build.exe, 00000007.00000002.2559158756.00000000032A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: build.exe, 00000007.00000002.2559158756.00000000032A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: build.exe, 00000007.00000002.2559158756.00000000032A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: AppVClient.exe, 00000016.00000003.2182103866.00000000004BF000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000016.00000002.2185176053.00000000004F0000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000016.00000003.2182232459.00000000004EF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: appv:SoftwareClients/appv:JavaVirtualMachine
Source: alg.exe, 00000009.00000003.3298047259.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2587369712.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2725793461.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2641781426.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2605900173.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2464247908.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2576145561.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.3259678244.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2560073777.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2177000744.000000000056E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000009.00000003.2621710164.000000000056E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW^lw
Source: build.exe, 00000007.00000002.2550955586.0000000001180000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: build.exe, 00000007.00000002.2559158756.00000000032A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: SensorDataService.exe, 00000023.00000003.2314646412.0000000000635000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 00000025.00000003.2335525609.0000000000524000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @wvid.inf,%vid.devicedesc%;Microsoft Hyper-V Virtualization Infrastructure Driver`
Source: build.exe, 00000007.00000002.2559158756.00000000032A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: build.exe, 00000007.00000002.2559158756.00000000032A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: Spectrum.exe, 00000025.00000003.2335866500.000000000053D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: NECVMWar VMware SATA CD00\
Source: build.exe, 00000007.00000002.2559158756.00000000032A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: Spectrum.exe, 00000025.00000003.2335525609.0000000000524000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: v@oem2.inf,%loc.vmwarebusdevicedesc%;VMware VMCI Bus Device
Source: build.exe, 00000007.00000002.2559158756.00000000032A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: build.exe, 00000007.00000002.2559158756.00000000032A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: build.exe, 00000007.00000002.2559158756.00000000032A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: build.exe, 00000007.00000002.2559158756.00000000032A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: SensorDataService.exe, 00000023.00000003.2418257754.000000000064F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @,eSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: Spectrum.exe, 00000025.00000003.2335866500.000000000053D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware VMCI Bus Devicesdevicedesc%;VMware VMCI Bus Device
Source: build.exe, 00000007.00000002.2559158756.00000000032A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: build.exe, 00000007.00000002.2559158756.00000000032A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: build.exe, 00000007.00000002.2559158756.00000000032A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: SensorDataService.exe, 00000023.00000003.2418497581.000000000061C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @oem2.infloc.vmwarebusdevicedescVMware VMCI Bus DeviceV`
Source: build.exe, 00000007.00000002.2559158756.00000000032A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: build.exe, 00000007.00000002.2559158756.00000000032A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: Spectrum.exe, 00000025.00000003.2335525609.0000000000524000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: JVMware Virtual disk SCSI Disk Device
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\build.exe Code function: 7_2_05B46D90 LdrInitializeThunk, 7_2_05B46D90
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_0045A259 BlockInput, 0_2_0045A259
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW, 0_2_0040D6D0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_0040EB70 LoadLibraryA,GetProcAddress, 0_2_0040EB70
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_0553E500 mov eax, dword ptr fs:[00000030h] 0_2_0553E500
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_0553E4A0 mov eax, dword ptr fs:[00000030h] 0_2_0553E4A0
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_0553CEA0 mov eax, dword ptr fs:[00000030h] 0_2_0553CEA0
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_057B14E0 mov eax, dword ptr fs:[00000030h] 3_2_057B14E0
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_057B1480 mov eax, dword ptr fs:[00000030h] 3_2_057B1480
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_057AFE80 mov eax, dword ptr fs:[00000030h] 3_2_057AFE80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_04B13F3D mov eax, dword ptr fs:[00000030h] 4_2_04B13F3D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_04AD1130 mov eax, dword ptr fs:[00000030h] 4_2_04AD1130
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_00426DA1 CreateFileW,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, 0_2_00426DA1
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Process token adjusted: Debug
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_0042202E SetUnhandledExceptionFilter, 0_2_0042202E
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_004230F5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_004230F5
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00417D93
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00421FA7
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_0042202E SetUnhandledExceptionFilter, 3_2_0042202E
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_004230F5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_004230F5
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_00417D93
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_00421FA7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_004015D7 SetUnhandledExceptionFilter, 4_2_004015D7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_004015D7 SetUnhandledExceptionFilter, 4_2_004015D7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_04B14C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_04B14C7B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_04B11361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_04B11361
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe NtOpenKeyEx: Indirect: 0x140077B9B
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe NtQueryValueKey: Indirect: 0x140077C9F
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe NtClose: Indirect: 0x140077E81
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 2814008 Jump to behavior
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_0043916A LogonUserW, 0_2_0043916A
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW, 0_2_0040D6D0
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_004375B0
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_00436431 __wcsicoll,mouse_event,__wcsicoll,mouse_event, 0_2_00436431
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe" Jump to behavior
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe" Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Users\user\AppData\Local\Temp\microsofts.exe "C:\Users\user\AppData\Local\Temp\microsofts.exe" Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe "C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 04:12 /du 23:59 /sc daily /ri 1 /f
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpD5D5.tmp.cmd""
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_00445DD3 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 0_2_00445DD3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_04AF8550 GetVolumeInformationW,wsprintfW,GetLastError,GetLastError,GetUserNameW,GetLastError,GetLastError,GetUserNameW,FreeSid,LocalFree,AllocateAndInitializeSid,wsprintfW,SetEntriesInAclW,GetLastError,OpenMutexW, 4_2_04AF8550
Source: PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Binary or memory string: Shell_TrayWnd
Source: PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe, 00000000.00000000.2047969124.0000000000482000.00000002.00000001.01000000.00000003.sdmp, PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe, 00000000.00000002.2075700685.0000000000482000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_00410D10 cpuid 0_2_00410D10
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe Queries volume information: C:\Users\user\AppData\Local\Temp\build.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\build.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Queries volume information: C:\Users\user\AppData\Local\Temp\server_BTC.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\alg.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\System32\AppVClient.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\FXSSVC.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\FXSSVC.exe Queries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\Queue\TSTEB13.tmp VolumeInformation
Source: C:\Windows\System32\FXSSVC.exe Queries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\TSTEB14.tmp VolumeInformation
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msdtc.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\Locator.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\SensorDataService.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\snmptrap.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\Spectrum.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\TieringEngineService.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\AgentService.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\vds.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\wbengine.exe Queries volume information: C:\ VolumeInformation
Queries time zone information
Source: C:\Windows\System32\TieringEngineService.exe Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation Bias
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_004223BC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_004223BC
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_004711D2 GetUserNameW, 0_2_004711D2
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_0040E470
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\build.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\build.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\build.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\build.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\build.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\build.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information
barindex
Yara detected PureLog Stealer
Source: Yara match File source: 5.3.microsofts.exe.590000.1148.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.microsofts.exe.6e3718.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.svchost.exe.6000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.svchost.exe.6000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.microsofts.exe.590000.1051.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.microsofts.exe.5b0000.1147.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.microsofts.exe.590000.913.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.microsofts.exe.5b0000.1146.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.microsofts.exe.6e3718.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.Native_Redline_BTC.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000000.2117556197.0000000000012000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.2424106953.0000000007240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.2119948725.00000000006E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.2419729495.0000000007240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2128865412.0000000006000000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe, type: DROPPED
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 6.2.Native_Redline_BTC.exe.12354d08.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.Native_Redline_BTC.exe.123eb188.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.Native_Redline_BTC.exe.123eb188.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.build.exe.bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.Native_Redline_BTC.exe.1239ff50.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.Native_Redline_BTC.exe.1239ff50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.Native_Redline_BTC.exe.12354d08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.2132146464.00000000123E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2132146464.0000000012309000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2132146464.0000000012397000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.2126000556.0000000000BC2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Native_Redline_BTC.exe PID: 6180, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: build.exe PID: 7064, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPED
Found many strings related to Crypto-Wallets (likely being stolen)
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ElectrumE#
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: JaxxE#
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ExodusE#
Source: build.exe, 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: EthereumE#
Source: microsofts.exe, 00000005.00000003.2119948725.00000000006E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: set_UseMachineKeyStore
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File opened: C:\FTP Navigator\Ftplist.txt Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Users\user\AppData\Local\Temp\build.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microsofts.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
OS version to string mapping found (often used in BOTs)
Source: PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe, 00000003.00000000.2075282784.0000000000482000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 6, 0USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:cdeclwinapistdcallnonestrwstrintbooluintlongulongdwordshortushortwordbyteubytebooleanfloatdoubleptrhwndhandlelresultlparamwparamint64uint64int_ptruint_ptrlong_ptrulong_ptrdword_ptridispatch64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----
Source: PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Binary or memory string: WIN_XP
Source: PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Binary or memory string: WIN_XPe
Source: PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Binary or memory string: WIN_VISTA
Source: PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Binary or memory string: WIN_7
Yara detected Credential Stealer
Source: Yara match File source: 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: build.exe PID: 7064, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected PureLog Stealer
Source: Yara match File source: 5.3.microsofts.exe.590000.1148.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.microsofts.exe.6e3718.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.svchost.exe.6000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.svchost.exe.6000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.microsofts.exe.590000.1051.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.microsofts.exe.5b0000.1147.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.microsofts.exe.590000.913.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.microsofts.exe.5b0000.1146.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.microsofts.exe.6e3718.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.Native_Redline_BTC.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000000.2117556197.0000000000012000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.2424106953.0000000007240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.2119948725.00000000006E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.2419729495.0000000007240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2128865412.0000000006000000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Native_Redline_BTC.exe, type: DROPPED
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 6.2.Native_Redline_BTC.exe.12354d08.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.Native_Redline_BTC.exe.123eb188.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.Native_Redline_BTC.exe.123eb188.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.build.exe.bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.Native_Redline_BTC.exe.1239ff50.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.Native_Redline_BTC.exe.1239ff50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.Native_Redline_BTC.exe.12354d08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.2132146464.00000000123E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2559158756.0000000003086000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2132146464.0000000012309000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2132146464.0000000012397000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.2126000556.0000000000BC2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Native_Redline_BTC.exe PID: 6180, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: build.exe PID: 7064, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPED
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 0_2_004741BB
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket, 0_2_0046483C
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 0_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject, 0_2_0047AD92
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 3_2_004741BB
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket, 3_2_0046483C
Source: C:\Users\user\Desktop\PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe Code function: 3_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject, 3_2_0047AD92
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1530636 Sample: PO-NBQ73652_ORDER_T637MOO74... Startdate: 10/10/2024 Architecture: WINDOWS Score: 100 84 zyiexezl.biz 2->84 86 zlenh.biz 2->86 88 78 other IPs or domains 2->88 112 Multi AV Scanner detection for domain / URL 2->112 114 Suricata IDS alerts for network traffic 2->114 116 Found malware configuration 2->116 118 13 other signatures 2->118 12 PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe 1 2->12         started        15 alg.exe 2->15         started        18 elevation_service.exe 2->18         started        20 20 other processes 2->20 signatures3 process4 dnsIp5 136 Switches to a custom stack to bypass stack traces 12->136 138 Contains functionality to detect sleep reduction / modifications 12->138 22 PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe 12->22         started        25 svchost.exe 12->25         started        92 mnjmhp.biz 47.129.31.212, 49929, 50033, 50036 ESAMARA-ASRU Canada 15->92 94 yauexmxk.biz 18.208.156.248, 49992, 50025, 50029 AMAZON-AESUS United States 15->94 96 10 other IPs or domains 15->96 140 Creates files in the system32 config directory 15->140 142 Contains functionality to behave differently if execute on a Russian/Kazak computer 15->142 144 Found direct / indirect Syscall (likely to bypass EDR) 18->144 146 Creates files inside the volume driver (system volume information) 20->146 signatures6 process7 signatures8 120 Writes to foreign memory regions 22->120 122 Maps a DLL or memory area into another process 22->122 27 svchost.exe 4 22->27         started        process9 file10 78 C:\Users\user\AppData\...\microsofts.exe, PE32 27->78 dropped 80 C:\Users\user\...80ative_Redline_BTC.exe, PE32 27->80 dropped 82 C:\Program Files (x86)\...\armsvc.exe, PE32 27->82 dropped 148 Drops executable to a common third party application directory 27->148 150 Infects executable files (exe, dll, sys, html) 27->150 31 microsofts.exe 15 2 27->31         started        36 Native_Redline_BTC.exe 27->36         started        signatures11 process12 dnsIp13 98 banwyw.biz 44.221.84.105, 49711, 49716, 49954 AMAZON-AESUS United States 31->98 100 acwjcqqv.biz 18.141.10.107, 49707, 49710, 49717 AMAZON-02US United States 31->100 102 7 other IPs or domains 31->102 64 C:\Windows\System32\wbengine.exe, PE32+ 31->64 dropped 66 C:\Windows\System32\wbem\WmiApSrv.exe, PE32+ 31->66 dropped 68 C:\Windows\System32\vds.exe, PE32+ 31->68 dropped 74 140 other malicious files 31->74 dropped 104 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 31->104 106 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 31->106 108 Tries to steal Mail credentials (via file / registry access) 31->108 110 6 other signatures 31->110 70 C:\Users\user\AppData\...\server_BTC.exe, PE32 36->70 dropped 72 C:\Users\user\AppData\Local\Temp\build.exe, PE32 36->72 dropped 38 build.exe 36->38         started        42 server_BTC.exe 36->42         started        file14 signatures15 process16 dnsIp17 90 212.162.149.53, 2049, 49706 UNREAL-SERVERSUS Netherlands 38->90 124 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 38->124 126 Found many strings related to Crypto-Wallets (likely being stolen) 38->126 128 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 38->128 134 2 other signatures 38->134 76 C:\Users\user\AppData\...\TrojanAIbot.exe, PE32 42->76 dropped 130 Uses schtasks.exe or at.exe to add and modify task schedules 42->130 132 Adds a directory exclusion to Windows Defender 42->132 45 powershell.exe 42->45         started        48 cmd.exe 42->48         started        50 schtasks.exe 42->50         started        52 TrojanAIbot.exe 42->52         started        file18 signatures19 process20 signatures21 152 Loading BitLocker PowerShell Module 45->152 54 conhost.exe 45->54         started        56 WmiPrvSE.exe 45->56         started        58 conhost.exe 48->58         started        60 timeout.exe 48->60         started        62 conhost.exe 50->62         started        process22
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
165.160.15.20
 myups.biz United States
19574 CSCUS false
104.26.12.205
 api.ipify.org United States
13335 CLOUDFLARENETUS false
3.254.94.185
 uaafd.biz United States
16509 AMAZON-02US true
3.94.10.34
 ytctnunms.biz United States
14618 AMAZON-AESUS true
34.246.200.160
 tbjrpv.biz United States
16509 AMAZON-02US true
172.234.222.143
 przvgke.biz United States
20940 AKAMAI-ASN1EU false
18.208.156.248
 damcprvgv.biz United States
14618 AMAZON-AESUS true
34.211.97.45
 vrrazpdh.biz United States
16509 AMAZON-02US true
208.100.26.245
 gytujflc.biz United States
32748 STEADFASTUS false
35.164.78.200
 nqwjmb.biz United States
16509 AMAZON-02US true
172.234.222.138
 unknown United States
20940 AKAMAI-ASN1EU false
165.160.13.20
 unknown United States
19574 CSCUS false
51.195.88.199
 s82.gocheapweb.com France
16276 OVHFR false
212.162.149.53
 unknown Netherlands
64236 UNREAL-SERVERSUS true
44.213.104.86
 vyome.biz United States
14618 AMAZON-AESUS true
44.221.84.105
 hehckyov.biz United States
14618 AMAZON-AESUS true
85.214.228.140
 dlynankz.biz Germany
6724 STRATOSTRATOAGDE false
54.244.188.177
 pywolwnvd.biz United States
16509 AMAZON-02US true
13.251.16.150
 sxmiywsfv.biz United States
16509 AMAZON-02US true
47.129.31.212
 xlfhhhm.biz Canada
34533 ESAMARA-ASRU true
82.112.184.197
 vjaxhpbji.biz Russian Federation
43267 FIRST_LINE-SP_FOR_B2B_CUSTOMERSUPSTREAMSRU false
18.141.10.107
 warkcdu.biz United States
16509 AMAZON-02US true

Contacted Domains

Name IP Active
uaafd.biz 3.254.94.185 true
vjaxhpbji.biz 82.112.184.197 true
pywolwnvd.biz 54.244.188.177 true
s82.gocheapweb.com 51.195.88.199 true
ytctnunms.biz 3.94.10.34 true
lrxdmhrr.biz 54.244.188.177 true
vrrazpdh.biz 34.211.97.45 true
ctdtgwag.biz 3.94.10.34 true
tbjrpv.biz 34.246.200.160 true
hehckyov.biz 44.221.84.105 true
xlfhhhm.biz 47.129.31.212 true
warkcdu.biz 18.141.10.107 true
npukfztj.biz 44.221.84.105 true
sxmiywsfv.biz 13.251.16.150 true
przvgke.biz 172.234.222.143 true
dwrqljrr.biz 54.244.188.177 true
ocsvqjg.biz 3.254.94.185 true
ecxbwt.biz 54.244.188.177 true
gytujflc.biz 208.100.26.245 true
bghjpy.biz 34.211.97.45 true
damcprvgv.biz 18.208.156.248 true
gvijgjwkh.biz 3.94.10.34 true
gnqgo.biz 18.208.156.248 true
deoci.biz 18.208.156.248 true
iuzpxe.biz 13.251.16.150 true
nqwjmb.biz 35.164.78.200 true
wllvnzb.biz 18.141.10.107 true
cvgrf.biz 54.244.188.177 true
lpuegx.biz 82.112.184.197 true
bumxkqgxu.biz 44.221.84.105 true
yhqqc.biz 34.211.97.45 true
api.ipify.org 104.26.12.205 true
vcddkls.biz 18.141.10.107 true
vyome.biz 44.213.104.86 true
dlynankz.biz 85.214.228.140 true
gcedd.biz 13.251.16.150 true
reczwga.biz 44.221.84.105 true
xccjj.biz 44.213.104.86 true
wxgzshna.biz 72.52.178.23 true
oshhkdluh.biz 54.244.188.177 true
opowhhece.biz 18.208.156.248 true
pectx.biz 44.213.104.86 true
jwkoeoqns.biz 18.208.156.248 true
jpskm.biz 34.211.97.45 true
ftxlah.biz 47.129.31.212 true
ifsaia.biz 13.251.16.150 true
rynmcq.biz 54.244.188.177 true
oflybfv.biz 47.129.31.212 true
jhvzpcfg.biz 44.221.84.105 true
ywffr.biz 54.244.188.177 true
tnevuluw.biz 35.164.78.200 true
saytjshyf.biz 44.221.84.105 true
fwiwk.biz 172.234.222.143 true
rrqafepng.biz 47.129.31.212 true
typgfhb.biz 13.251.16.150 true
esuzf.biz 34.211.97.45 true
eufxebus.biz 18.141.10.107 true
whjovd.biz 18.141.10.107 true
banwyw.biz 44.221.84.105 true
myups.biz 165.160.15.20 true
pwlqfu.biz 34.246.200.160 true
zyiexezl.biz 18.208.156.248 true
yauexmxk.biz 18.208.156.248 true
ssbzmoy.biz 18.141.10.107 true
knjghuig.biz 18.141.10.107 true
yunalwv.biz 208.100.26.245 true
brsua.biz 3.254.94.185 true
mgmsclkyu.biz 34.246.200.160 true
gjogvvpsf.biz 208.100.26.245 true
qaynky.biz 13.251.16.150 true
qpnczch.biz 44.213.104.86 true
mnjmhp.biz 47.129.31.212 true
acwjcqqv.biz 18.141.10.107 true
jdhhbs.biz 13.251.16.150 true
anpmnmxo.biz unknown unknown
zjbpaao.biz unknown unknown
uhxqin.biz unknown unknown
zlenh.biz unknown unknown
muapr.biz unknown unknown
lejtdj.biz unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://yhqqc.biz/vqtoaeha true
    		unknown
    http://jpskm.biz/hisgijrksnb true
      		unknown
      http://przvgke.biz/ajvaopkagn false
        		unknown
        http://lpuegx.biz/pkabvaplwbiqx false
          		unknown
          http://gjogvvpsf.biz/xvwjoyasecofgd false
            		unknown
            http://xlfhhhm.biz/hqlbcdtcv true
              		unknown
              http://oflybfv.biz/vnjrxnyhwihcg true
                		unknown
                http://vyome.biz/ksvtsx true
                  		unknown
                  http://lpuegx.biz/mgu false
                    		unknown
                    http://ecxbwt.biz/tckhwxqtj true
                      		unknown
                      http://typgfhb.biz/hkdwng true
                        		unknown
                        http://ifsaia.biz/wkqumdvynqwto true
                          		unknown
                          http://rrqafepng.biz/ha true
                            		unknown
                            http://cvgrf.biz/agup true
                              		unknown
                              http://lpuegx.biz/xkjanqfjaocn false
                                		unknown
                                http://ctdtgwag.biz/sonhfc true
                                  		unknown
                                  http://fwiwk.biz/dokmgu false
                                    		unknown
                                    http://yunalwv.biz/cx false
                                      		unknown
                                      http://jdhhbs.biz/oknxycjjxcvmcyg true
                                        		unknown
                                        http://mnjmhp.biz/eeswgjxjcwha true
                                          		unknown
                                          http://brsua.biz/npjswmwoxwkrbxd true
                                            		unknown
                                            http://bumxkqgxu.biz/iafrakxbkhxwqo true
                                              		unknown
                                              http://eufxebus.biz/iaiodpshpb true
                                                		unknown
                                                http://typgfhb.biz/uluonacniewnep true
                                                  		unknown
                                                  http://hehckyov.biz/bvbcgrbcs true
                                                    		unknown
                                                    http://opowhhece.biz/butjufvvmucwu true
                                                      		unknown
                                                      http://dlynankz.biz/qtgyq false
                                                        		unknown
                                                        http://dlynankz.biz/hdqasqyy false
                                                          		unknown
                                                          http://przvgke.biz/ysrvxblocwefk false
                                                            		unknown
                                                            http://nqwjmb.biz/oiwersrybt true
                                                              		unknown
                                                              http://gytujflc.biz/jae false
                                                                		unknown
                                                                http://tnevuluw.biz/yavfpoeu true
                                                                  		unknown
                                                                  http://acwjcqqv.biz/sxrtljpowkklyfep true
                                                                    		unknown
                                                                    https://api.ipify.org/ false
                                                                    • URL Reputation: safe
                                                                    		 unknown
                                                                    http://gytujflc.biz/ly false
                                                                      		unknown