Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
82.msi

Overview

General Information

Sample name:82.msi
Analysis ID:1603202
MD5:fed4d89f04744fd10c65069fd754adcb
SHA1:25e6f75bf8aa8ef1bb084164d0a45058c6f8ad16
SHA256:9b4e4b8e620f53b8010d5316945f930df1327ce11135617e3f075ec70ffd49d1
Tags:msiuser-G60930953
Infos:

Detection

Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found strings related to Crypto-Mining
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
PE file has a writeable .text section
Sigma detected: Suspicious GUP Usage
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 7516 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\82.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 7588 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 7636 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 7099DE4C06DCDCA8213456323FF799A9 C MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • ISBEW64.exe (PID: 7744 cmdline: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{19DA863E-B60E-44E3-9DE7-C50CC5323CF1} MD5: 40F3A092744E46F3531A40B917CCA81E)
      • ISBEW64.exe (PID: 7780 cmdline: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B9E5B376-8165-4785-BDBB-065141BB3F13} MD5: 40F3A092744E46F3531A40B917CCA81E)
      • ISBEW64.exe (PID: 7812 cmdline: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{59247D03-E983-4D17-A383-BFA23594A11E} MD5: 40F3A092744E46F3531A40B917CCA81E)
      • ISBEW64.exe (PID: 7844 cmdline: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D3E21DF4-856E-4EF5-B3CC-948D8562DF5B} MD5: 40F3A092744E46F3531A40B917CCA81E)
      • ISBEW64.exe (PID: 7876 cmdline: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9C1ACE04-B793-4578-8AA9-BF2942701188} MD5: 40F3A092744E46F3531A40B917CCA81E)
      • ISBEW64.exe (PID: 7916 cmdline: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{34B60CF7-FDDB-46AC-B9FC-B9E4CB726719} MD5: 40F3A092744E46F3531A40B917CCA81E)
      • ISBEW64.exe (PID: 7948 cmdline: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{22BCA8AC-0CFF-4E0F-813E-04A85DA8072F} MD5: 40F3A092744E46F3531A40B917CCA81E)
      • ISBEW64.exe (PID: 7980 cmdline: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FABFADDC-410A-4184-ACD0-480D29FAFAD4} MD5: 40F3A092744E46F3531A40B917CCA81E)
      • ISBEW64.exe (PID: 8012 cmdline: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8F6DE6B4-1A54-456A-935D-61EC3C05B24E} MD5: 40F3A092744E46F3531A40B917CCA81E)
      • ISBEW64.exe (PID: 8044 cmdline: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0DBB6F03-FD72-450E-9BF6-302E16702B72} MD5: 40F3A092744E46F3531A40B917CCA81E)
      • GUP.exe (PID: 8076 cmdline: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exe MD5: 4620F1BA5072F37BDEDF2650C654595D)
        • GUP.exe (PID: 8092 cmdline: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exe MD5: 4620F1BA5072F37BDEDF2650C654595D)
          • cmd.exe (PID: 8116 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 8124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • javasign_test.exe (PID: 7728 cmdline: C:\Users\user\AppData\Local\Temp\javasign_test.exe MD5: 967F4470627F823F4D7981E511C9824F)
              • msedge.exe (PID: 7960 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory="Default" MD5: 69222B8101B0601CC6663F8381E7E00F)
                • msedge.exe (PID: 2552 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2232 --field-trial-handle=2132,i,3809154015794764624,15846486505537806196,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)
      • MpCmdRun.exe (PID: 7812 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)
        • conhost.exe (PID: 7856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • GUP.exe (PID: 7372 cmdline: "C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exe" MD5: 4620F1BA5072F37BDEDF2650C654595D)
    • cmd.exe (PID: 7504 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • javasign_test.exe (PID: 7780 cmdline: C:\Users\user\AppData\Local\Temp\javasign_test.exe MD5: 967F4470627F823F4D7981E511C9824F)
  • msedge.exe (PID: 8072 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)
    • msedge.exe (PID: 400 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1888 --field-trial-handle=2072,i,6599914520268651248,6988273633780560088,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)
    • msedge.exe (PID: 6048 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=7084 --field-trial-handle=2072,i,6599914520268651248,6988273633780560088,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)
    • msedge.exe (PID: 5456 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7144 --field-trial-handle=2072,i,6599914520268651248,6988273633780560088,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)
    • msedge.exe (PID: 4084 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=7188 --field-trial-handle=2072,i,6599914520268651248,6988273633780560088,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Suspicious GUP Usage
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exe, CommandLine: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 7099DE4C06DCDCA8213456323FF799A9 C, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7636, ParentProcessName: msiexec.exe, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exe, ProcessId: 8076, ProcessName: GUP.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-01-30T17:42:53.770319+010020283713Unknown Traffic192.168.2.949978104.21.64.1443TCP
2025-01-30T17:42:55.309013+010020283713Unknown Traffic192.168.2.949980104.21.64.1443TCP
2025-01-30T17:42:56.178399+010020283713Unknown Traffic192.168.2.949981104.21.64.1443TCP
2025-01-30T17:43:11.895090+010020283713Unknown Traffic192.168.2.950045104.21.64.1443TCP
2025-01-30T17:43:13.741452+010020283713Unknown Traffic192.168.2.950074104.21.64.1443TCP
2025-01-30T17:43:21.132804+010020283713Unknown Traffic192.168.2.950087104.21.64.1443TCP
2025-01-30T17:43:22.891131+010020283713Unknown Traffic192.168.2.950090104.21.64.1443TCP
2025-01-30T17:43:23.709188+010020283713Unknown Traffic192.168.2.950091104.21.64.1443TCP
2025-01-30T17:43:25.123148+010020283713Unknown Traffic192.168.2.950093104.21.64.1443TCP
2025-01-30T17:43:27.266090+010020283713Unknown Traffic192.168.2.950094104.21.64.1443TCP
2025-01-30T17:43:28.753420+010020283713Unknown Traffic192.168.2.950095104.21.64.1443TCP
2025-01-30T17:43:30.052966+010020283713Unknown Traffic192.168.2.950096104.21.64.1443TCP
2025-01-30T17:43:42.094425+010020283713Unknown Traffic192.168.2.950097104.21.64.1443TCP
2025-01-30T17:43:43.673753+010020283713Unknown Traffic192.168.2.950098104.21.64.1443TCP
2025-01-30T17:43:44.406321+010020283713Unknown Traffic192.168.2.950099104.21.64.1443TCP
2025-01-30T17:43:45.267027+010020283713Unknown Traffic192.168.2.950100104.21.64.1443TCP
2025-01-30T17:43:46.080368+010020283713Unknown Traffic192.168.2.950101104.21.64.1443TCP
2025-01-30T17:43:47.000057+010020283713Unknown Traffic192.168.2.950102104.21.64.1443TCP
2025-01-30T17:43:47.977364+010020283713Unknown Traffic192.168.2.950103104.21.64.1443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Joe Sandbox ML detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF8E7806CC0 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,14_2_00007FF8E7806CC0
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF8E77D9CE0 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,14_2_00007FF8E77D9CE0
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF8E77F5440 CryptHashData,14_2_00007FF8E77F5440
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF8E77F5450 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,14_2_00007FF8E77F5450
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF8E77F53F0 CryptAcquireContextA,CryptCreateHash,14_2_00007FF8E77F53F0
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF8E77F52E0 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,14_2_00007FF8E77F52E0
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF8E75C5440 CryptHashData,15_2_00007FF8E75C5440
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF8E75C5450 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,15_2_00007FF8E75C5450
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF8E75A9CE0 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,15_2_00007FF8E75A9CE0
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF8E75D6CC0 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,15_2_00007FF8E75D6CC0
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF8E75C53F0 CryptAcquireContextA,CryptCreateHash,15_2_00007FF8E75C53F0
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF8E75C52E0 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,15_2_00007FF8E75C52E0
Source: GUP.exe, 0000000E.00000002.1406296897.0000017400E6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_2937584e-9

Bitcoin Miner

barindex
Found strings related to Crypto-Mining
Source: javasign_test.exe, 00000019.00000003.2118328189.0000000007FF3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: "coinhive.com
Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.9:49978 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.9:49980 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.9:49981 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.9:50045 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.9:50074 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.9:50087 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.9:50090 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.9:50091 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.9:50093 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.9:50094 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.9:50095 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.9:50096 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.9:50097 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.9:50098 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.9:50099 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.9:50100 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.9:50101 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.9:50102 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.9:50103 version: TLS 1.2
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2* source: javasign_test.exe, 00000019.00000003.1925523476.000000000088C000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1927496083.000000000088C000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1928394464.000000000088C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\ source: javasign_test.exe, 00000019.00000003.1927496083.0000000000877000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1925523476.0000000000877000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\Local State source: javasign_test.exe, 00000019.00000003.1928532432.000000000088C000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1925523476.000000000088C000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1927496083.000000000088C000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1928394464.000000000088C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB90r source: javasign_test.exe, 00000019.00000003.1927496083.0000000000877000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1925523476.0000000000877000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\profiles.ini source: javasign_test.exe, 00000019.00000003.2124898533.0000000000853000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\Local Stateb source: javasign_test.exe, 00000019.00000003.1928532432.000000000088C000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1925523476.000000000088C000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1927496083.000000000088C000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1928394464.000000000088C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\profiles.ini source: javasign_test.exe, 00000019.00000003.2124898533.0000000000853000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\Local Statery source: javasign_test.exe, 00000019.00000003.1928532432.000000000088C000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1925523476.000000000088C000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1927496083.000000000088C000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1928394464.000000000088C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ZC:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\5n1h2txyewy\SystemAppData\ source: javasign_test.exe, 00000019.00000003.1927496083.0000000000877000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1925523476.0000000000877000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: cmd.exe, 00000010.00000002.1774215509.000000000497F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1776267297.0000000005240000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.1951338129.0000000004926000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.1952703933.00000000051F0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: GUP.exe, 0000000E.00000002.1413945004.0000017409AAD000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000E.00000002.1414149565.0000017409EA0000.00000004.00000800.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1473505880.0000024EC6650000.00000004.00000800.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1473286374.0000024EC6254000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1473818770.0000024EC685D000.00000004.00000001.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1740045949.000001DFAF5E5000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1740867781.000001DFAFBE7000.00000004.00000001.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1740272295.000001DFAF9E0000.00000004.00000800.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2244678126.0000000005A49000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2240699533.0000000003E43000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2242372739.0000000004A43000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2246183204.0000000005E41000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2242891477.0000000004E46000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2242064781.000000000484F000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2243966630.000000000564F000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2250720438.000000000644E000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2251482385.0000000006A48000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2243376961.000000000524B000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2239415883.0000000002CA0000.00000004.00001000.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2252298555.000000000704A000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2238643122.000000000233D000.00000004.00000020.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2251212144.000000000684B000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2250954957.0000000006649000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2243662590.000000000544C000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2252078722.0000000006E48000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2241251920.0000000004241000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: cmd.exe, 00000010.00000002.1774215509.000000000497F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1776267297.0000000005240000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.1951338129.0000000004926000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.1952703933.00000000051F0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: d.pdb\01AB9056EA9380F71644C4339E3FA1AC2\Local State source: javasign_test.exe, 00000019.00000003.1927496083.0000000000877000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1925523476.0000000000877000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: WC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: javasign_test.exe, 00000019.00000003.1927496083.0000000000877000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1925523476.0000000000877000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: bols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\Local StatebeU source: javasign_test.exe, 00000019.00000003.1927496083.0000000000877000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1925523476.0000000000877000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: C:\CodeBases\isdev\Src\Runtime\InstallScript\ISBEW64\x64\Release\ISBEW64.pdb source: ISBEW64.exe, 00000004.00000000.1383839623.00007FF60D647000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000004.00000002.1385736138.00007FF60D647000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000005.00000000.1384830551.00007FF60D647000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000005.00000002.1386511839.00007FF60D647000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000006.00000002.1387221455.00007FF60D647000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000006.00000000.1385966946.00007FF60D647000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000007.00000002.1388092835.00007FF60D647000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000007.00000000.1386644239.00007FF60D647000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000008.00000002.1389691219.00007FF60D647000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000008.00000000.1387337150.00007FF60D647000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000009.00000002.1412285484.00007FF60D647000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000009.00000000.1389423570.00007FF60D647000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000A.00000000.1390438698.00007FF60D647000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000A.00000002.1392509858.00007FF60D647000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000B.00000002.1393322905.00007FF60D647000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000B.00000000.1391511961.00007FF60D647000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000C.00000000.1392631699.00007FF60D647000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000C.00000002.1394495944.00007FF60D647000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000D.00000000.1393419305.00007FF60D647000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000D.00000002.1396449923.00007FF60D647000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2^ source: javasign_test.exe, 00000019.00000003.1928532432.000000000088C000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1925523476.000000000088C000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1927496083.000000000088C000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1928394464.000000000088C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: bols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\Local State source: javasign_test.exe, 00000019.00000003.1927496083.0000000000877000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1925523476.0000000000877000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: VC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\cal\Temp\Symbols source: javasign_test.exe, 00000019.00000003.1927496083.0000000000877000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1925523476.0000000000877000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: javasign_test.exe, 00000019.00000003.1927496083.0000000000877000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1925523476.0000000000877000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2c source: javasign_test.exe, 00000019.00000003.1927496083.0000000000894000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1931483393.0000000000894000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1928951581.0000000000894000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1928819682.0000000000894000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1929310350.0000000000894000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1930401163.0000000000894000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1928532432.0000000000894000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1928394464.0000000000894000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb source: GUP.exe, 0000000E.00000002.1413945004.0000017409AAD000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000E.00000002.1414149565.0000017409EA0000.00000004.00000800.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1473505880.0000024EC6650000.00000004.00000800.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1473286374.0000024EC6254000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1473818770.0000024EC685D000.00000004.00000001.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1740045949.000001DFAF5E5000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1740867781.000001DFAFBE7000.00000004.00000001.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1740272295.000001DFAF9E0000.00000004.00000800.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2244678126.0000000005A49000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2240699533.0000000003E43000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2242372739.0000000004A43000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2246183204.0000000005E41000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2242891477.0000000004E46000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2242064781.000000000484F000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2243966630.000000000564F000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2250720438.000000000644E000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2251482385.0000000006A48000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2243376961.000000000524B000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2239415883.0000000002CA0000.00000004.00001000.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2252298555.000000000704A000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2238643122.000000000233D000.00000004.00000020.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2251212144.000000000684B000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2250954957.0000000006649000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2243662590.000000000544C000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2252078722.0000000006E48000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2241251920.0000000004241000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\Local State source: javasign_test.exe, 00000019.00000003.1928532432.000000000088C000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1925523476.000000000088C000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1927496083.000000000088C000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1928394464.000000000088C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: javasign_test.exe, 00000019.00000003.1927496083.0000000000894000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1931483393.0000000000894000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1927496083.0000000000877000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1925523476.0000000000877000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1928951581.0000000000894000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1928819682.0000000000894000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1929310350.0000000000894000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1930401163.0000000000894000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1928532432.0000000000894000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1928394464.0000000000894000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831M source: javasign_test.exe, 00000019.00000003.1927496083.0000000000894000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1931483393.0000000000894000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1928951581.0000000000894000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1928819682.0000000000894000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1929310350.0000000000894000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1930401163.0000000000894000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1928532432.0000000000894000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1928394464.0000000000894000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: [C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: javasign_test.exe, 00000019.00000003.1927496083.0000000000877000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1925523476.0000000000877000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: [\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: javasign_test.exe, 00000019.00000003.1927496083.0000000000877000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1925523476.0000000000877000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: javasign_test.exe, 00000019.00000003.1928532432.000000000088C000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1925523476.000000000088C000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1927496083.000000000088C000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1928394464.000000000088C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: fC:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB90r source: javasign_test.exe, 00000019.00000003.1927496083.0000000000877000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1925523476.0000000000877000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\ source: javasign_test.exe, 00000019.00000003.1927496083.0000000000877000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1925523476.0000000000877000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: javasign_test.exe, 00000019.00000003.1927496083.0000000000894000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1927496083.0000000000877000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1925523476.0000000000877000.00000004.00000001.00020000.00000000.sdmp
Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeFile opened: c:
Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
Source: Joe Sandbox ViewIP Address: 104.21.64.1 104.21.64.1
Source: Joe Sandbox ViewIP Address: 104.21.64.1 104.21.64.1
Source: Joe Sandbox ViewIP Address: 52.168.117.170 52.168.117.170
Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49978 -> 104.21.64.1:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49980 -> 104.21.64.1:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49981 -> 104.21.64.1:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:50045 -> 104.21.64.1:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:50074 -> 104.21.64.1:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:50087 -> 104.21.64.1:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:50090 -> 104.21.64.1:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:50091 -> 104.21.64.1:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:50096 -> 104.21.64.1:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:50097 -> 104.21.64.1:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:50093 -> 104.21.64.1:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:50101 -> 104.21.64.1:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:50094 -> 104.21.64.1:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:50099 -> 104.21.64.1:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:50100 -> 104.21.64.1:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:50102 -> 104.21.64.1:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:50103 -> 104.21.64.1:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:50095 -> 104.21.64.1:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:50098 -> 104.21.64.1:443
Source: global trafficHTTP traffic detected: POST /17415-what-really-happened-channels-123-west.html?hpdws8f=7AbxF2FXIPIxxWQMTECCPsMmPZh03scavf8NeY0rpgRYZAlnWnxqk5KbuG6i0hfMaKOU2mo%2BiB%2BJA5xuEdvv%2BA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Content-Length: 147Host: bapakopla.live
Source: global trafficHTTP traffic detected: POST /17415-what-really-happened-channels-123-west.html?hpdws8f=7AbxF2FXIPIxxWQMTECCPsMmPZh03scavf8NeY0rpgRYZAlnWnxqk5KbuG6i0hfMaKOU2mo%2BiB%2BJA5xuEdvv%2BA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36district: e0CS0nzroUTJmHyjf4Ysza8BokDedLC0TRdGMKk3W/9utX7gqblRpqUjmI1sc/KkWasuo7nOnBhJS5K8Content-Length: 53Host: bapakopla.live
Source: global trafficHTTP traffic detected: POST /17415-what-really-happened-channels-123-west.html?hpdws8f=7AbxF2FXIPIxxWQMTECCPsMmPZh03scavf8NeY0rpgRYZAlnWnxqk5KbuG6i0hfMaKOU2mo%2BiB%2BJA5xuEdvv%2BA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36district: e0CS0nzroUTJmHyjf4Ysza8BokDedLC0TRdGMKk3W/9utX7gqblRpqUjmI1sc/KkWasuo7nOnBhJS5K8Content-Length: 208Host: bapakopla.live
Source: global trafficHTTP traffic detected: GET /edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531 HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global trafficHTTP traffic detected: GET /bundles/v1/edgeChromium/latest/SSR-extension.d0b81df0decfa0886dfe.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.45sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 100sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: */*sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=3FDC43B61D0643B49012AFCCEE58125B.RefC=2025-01-30T16:43:05Z; USRLOC=; MUID=3D2B5C354AB86677373249B14BDA678F; MUIDB=3D2B5C354AB86677373249B14BDA678F; _EDGE_S=F=1&SID=0424BF88906766732612AA0C91976751; _EDGE_V=1
Source: global trafficHTTP traffic detected: GET /bundles/v1/edgeChromium/latest/web-worker.8ed343c804e9069b52b4.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.45sec-ch-ua-bitness: "64"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 200sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: */*sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: workerReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=3FDC43B61D0643B49012AFCCEE58125B.RefC=2025-01-30T16:43:05Z; USRLOC=; MUID=3D2B5C354AB86677373249B14BDA678F; MUIDB=3D2B5C354AB86677373249B14BDA678F; _EDGE_S=F=1&SID=0424BF88906766732612AA0C91976751; _EDGE_V=1
Source: global trafficHTTP traffic detected: OPTIONS /api/report?cat=bingbusiness HTTP/1.1Host: bzib.nelreports.netConnection: keep-aliveOrigin: https://business.bing.comAccess-Control-Request-Method: POSTAccess-Control-Request-Headers: content-typeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global trafficHTTP traffic detected: GET /bundles/v1/edgeChromium/latest/vendors.a8bc96a9c4710d87d862.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global trafficHTTP traffic detected: GET /bundles/v1/edgeChromium/latest/microsoft.7fc3109769390e0f7912.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global trafficHTTP traffic detected: GET /bundles/v1/edgeChromium/latest/common.eee185b1083ffdf6d054.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global trafficHTTP traffic detected: GET /bundles/v1/edgeChromium/latest/experience.026b9a80c7ff937f7d4f.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global trafficHTTP traffic detected: GET /crx/blobs/ASuc5ohfQPNzGo5SSihcSk6msC8CUKw5id-p0KCEkBKwK2LS4AjdrDP0wa1qjzCTaTWEfyM52ADmUAdPETYA5vgD87UPEj6gyG11hjsvMLHGmzQgJ9F5D8s8Lo0Lbai5BQYAxlKa5esPJXukyaicyq83JwZ0HIWqzrjN/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_86_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global trafficHTTP traffic detected: GET /statics/icons/favicon_newtabpage.png HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=3D2B5C354AB86677373249B14BDA678F; _EDGE_S=F=1&SID=0424BF88906766732612AA0C91976751; _EDGE_V=1
Source: global trafficHTTP traffic detected: GET /c.gif?rnd=1738255389930&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=3fdc43b61d0643b49012afccee58125b&activityId=3fdc43b61d0643b49012afccee58125b&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=3D2B5C354AB86677373249B14BDA678F; _EDGE_S=F=1&SID=0424BF88906766732612AA0C91976751; _EDGE_V=1
Source: global trafficHTTP traffic detected: POST /OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1738255389928&time-delta-to-apply-millis=use-collector-delta&w=0&anoncknm=app_anon&NoResponseBody=true HTTP/1.1Host: browser.events.data.msn.comConnection: keep-aliveContent-Length: 3877sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Content-Type: text/plain;charset=UTF-8Accept: */*Origin: https://ntp.msn.comSec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=3D2B5C354AB86677373249B14BDA678F; _EDGE_S=F=1&SID=0424BF88906766732612AA0C91976751; _EDGE_V=1
Source: global trafficHTTP traffic detected: GET /b?rn=1738255389930&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=3D2B5C354AB86677373249B14BDA678F&cs_fpit=o&cs_fpdm=*null&cs_fpdt=*null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global trafficHTTP traffic detected: GET /b2?rn=1738255389930&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=3D2B5C354AB86677373249B14BDA678F&cs_fpit=o&cs_fpdm=*null&cs_fpdt=*null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: UID=1CC6b5c786b77b8a47ea4651738255391; XID=1CC6b5c786b77b8a47ea4651738255391
Source: global trafficHTTP traffic detected: POST /17415-what-really-happened-channels-123-west.html?hpdws8f=7AbxF2FXIPIxxWQMTECCPsMmPZh03scavf8NeY0rpgRYZAlnWnxqk5KbuG6i0hfMaKOU2mo%2BiB%2BJA5xuEdvv%2BA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Content-Length: 147Host: bapakopla.live
Source: global trafficHTTP traffic detected: GET /edge/ntp?locale=en-GB&title=New+tab&enableForceCache=true HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 9.6sec-ch-ua-bitness: "64"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 150sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: */*sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=3FDC43B61D0643B49012AFCCEE58125B.RefC=2025-01-30T16:43:05Z; USRLOC=; MUID=3D2B5C354AB86677373249B14BDA678F; MUIDB=3D2B5C354AB86677373249B14BDA678F; _EDGE_S=F=1&SID=0424BF88906766732612AA0C91976751; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=517a087a-00f0-4a14-bd9c-6bc566699603; ai_session=B8mvYKAR6cnjHOsNufJrKq|1738255389925|1738255389925; sptmarket_restored=en-GB||us|en-us|en-us|en||cf=8|RefA=3FDC43B61D0643B49012AFCCEE58125B.RefC=2025-01-30T16:43:05Z
Source: global trafficHTTP traffic detected: GET /edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=2880&networkTimeoutSeconds=5&bgTaskNetworkTimeoutSeconds=8&ssrBasePageNavAgeMinutes=360&enableEmptySectionRoute=true&enableNavPreload=true&enableFallbackVerticalsFeed=true&noCacheLayoutTemplates=true&cacheSSRBasePageResponse=true&enableStaticAdsRouting=true&enableWidgetsRegion=true HTTP/1.1Host: ntp.msn.comConnection: keep-aliveCache-Control: max-age=0Accept: */*Service-Worker: scriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-edge-ntp: {"back_block":0,"bg_cur":{"configIndex":14,"imageId":"BB1msFQB","provider":"CMSImage","userSelected":false},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"myFeed","show_greet":true,"vt_opened":false,"wpo_nx":{"v":"2","wgt":{"src":"default"}}}Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: serviceworkerReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=3FDC43B61D0643B49012AFCCEE58125B.RefC=2025-01-30T16:43:05Z; USRLOC=; MUID=3D2B5C354AB86677373249B14BDA678F; MUIDB=3D2B5C354AB86677373249B14BDA678F; _EDGE_S=F=1&SID=0424BF88906766732612AA0C91976751; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=517a087a-00f0-4a14-bd9c-6bc566699603; ai_session=B8mvYKAR6cnjHOsNufJrKq|1738255389925|1738255389925; sptmarket_restored=en-GB||us|en-us|en-us|en||cf=8|RefA=3FDC43B61D0643B49012AFCCEE58125B.RefC=2025-01-30T16:43:05Z
Source: global trafficHTTP traffic detected: GET /c.gif?rnd=1738255389930&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=3fdc43b61d0643b49012afccee58125b&activityId=3fdc43b61d0643b49012afccee58125b&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=29C7DDB4AE5D4D598296E67465F85F29&MUID=3D2B5C354AB86677373249B14BDA678F HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=3D2B5C354AB86677373249B14BDA678F; _EDGE_S=F=1&SID=0424BF88906766732612AA0C91976751; _EDGE_V=1; SM=T
Source: global trafficHTTP traffic detected: POST /OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1738255392000&w=0&anoncknm=app_anon&NoResponseBody=true HTTP/1.1Host: browser.events.data.msn.comConnection: keep-aliveContent-Length: 11421sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Content-Type: text/plain;charset=UTF-8Accept: */*Origin: https://ntp.msn.comSec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=3D2B5C354AB86677373249B14BDA678F; _EDGE_S=F=1&SID=0424BF88906766732612AA0C91976751; _EDGE_V=1; _C_ETH=1; msnup=%7B%22cnex%22%3A%22no%22%7D
Source: global trafficHTTP traffic detected: POST /OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1738255392003&w=0&anoncknm=app_anon&NoResponseBody=true HTTP/1.1Host: browser.events.data.msn.comConnection: keep-aliveContent-Length: 4985sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Content-Type: text/plain;charset=UTF-8Accept: */*Origin: https://ntp.msn.comSec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=3D2B5C354AB86677373249B14BDA678F; _EDGE_S=F=1&SID=0424BF88906766732612AA0C91976751; _EDGE_V=1; _C_ETH=1; msnup=%7B%22cnex%22%3A%22no%22%7D
Source: global trafficHTTP traffic detected: POST /17415-what-really-happened-channels-123-west.html?hpdws8f=7AbxF2FXIPIxxWQMTECCPsMmPZh03scavf8NeY0rpgRYZAlnWnxqk5KbuG6i0hfMaKOU2mo%2BiB%2BJA5xuEdvv%2BA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36district: e0CS0nzroUTJmHyjf4Ysza8BokDedLC0TRdGMKk3W/9utX7gqblRpqUjmI1sc/KkWasuo7nOnBhJS5K8Content-Length: 53Host: bapakopla.live
Source: global trafficHTTP traffic detected: POST /OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1738255392624&w=0&anoncknm=app_anon&NoResponseBody=true HTTP/1.1Host: browser.events.data.msn.comConnection: keep-aliveContent-Length: 5325sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Content-Type: text/plain;charset=UTF-8Accept: */*Origin: https://ntp.msn.comSec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=3D2B5C354AB86677373249B14BDA678F; _EDGE_S=F=1&SID=0424BF88906766732612AA0C91976751; _EDGE_V=1; msnup=%7B%22cnex%22%3A%22no%22%7D
Source: global trafficHTTP traffic detected: POST /OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1738255393002&w=0&anoncknm=app_anon&NoResponseBody=true HTTP/1.1Host: browser.events.data.msn.comConnection: keep-aliveContent-Length: 9526sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Content-Type: text/plain;charset=UTF-8Accept: */*Origin: https://ntp.msn.comSec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=3D2B5C354AB86677373249B14BDA678F; _EDGE_S=F=1&SID=0424BF88906766732612AA0C91976751; _EDGE_V=1; msnup=%7B%22cnex%22%3A%22no%22%7D
Source: global trafficHTTP traffic detected: POST /17415-what-really-happened-channels-123-west.html?hpdws8f=7AbxF2FXIPIxxWQMTECCPsMmPZh03scavf8NeY0rpgRYZAlnWnxqk5KbuG6i0hfMaKOU2mo%2BiB%2BJA5xuEdvv%2BA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36district: e0CS0nzroUTJmHyjf4Ysza8BokDedLC0TRdGMKk3W/9utX7gqblRpqUjmI1sc/KkWasuo7nOnBhJS5K8Content-Length: 693181Host: bapakopla.live
Source: global trafficHTTP traffic detected: POST /17415-what-really-happened-channels-123-west.html?hpdws8f=7AbxF2FXIPIxxWQMTECCPsMmPZh03scavf8NeY0rpgRYZAlnWnxqk5KbuG6i0hfMaKOU2mo%2BiB%2BJA5xuEdvv%2BA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36district: e0CS0nzroUTJmHyjf4Ysza8BokDedLC0TRdGMKk3W/9utX7gqblRpqUjmI1sc/KkWasuo7nOnBhJS5K8Content-Length: 745Host: bapakopla.live
Source: global trafficHTTP traffic detected: POST /17415-what-really-happened-channels-123-west.html?hpdws8f=7AbxF2FXIPIxxWQMTECCPsMmPZh03scavf8NeY0rpgRYZAlnWnxqk5KbuG6i0hfMaKOU2mo%2BiB%2BJA5xuEdvv%2BA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36district: e0CS0nzroUTJmHyjf4Ysza8BokDedLC0TRdGMKk3W/9utX7gqblRpqUjmI1sc/KkWasuo7nOnBhJS5K8Content-Length: 212Host: bapakopla.live
Source: global trafficHTTP traffic detected: POST /17415-what-really-happened-channels-123-west.html?hpdws8f=7AbxF2FXIPIxxWQMTECCPsMmPZh03scavf8NeY0rpgRYZAlnWnxqk5KbuG6i0hfMaKOU2mo%2BiB%2BJA5xuEdvv%2BA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36district: e0CS0nzroUTJmHyjf4Ysza8BokDedLC0TRdGMKk3W/9utX7gqblRpqUjmI1sc/KkWasuo7nOnBhJS5K8Content-Length: 380Host: bapakopla.live
Source: global trafficHTTP traffic detected: POST /17415-what-really-happened-channels-123-west.html?hpdws8f=7AbxF2FXIPIxxWQMTECCPsMmPZh03scavf8NeY0rpgRYZAlnWnxqk5KbuG6i0hfMaKOU2mo%2BiB%2BJA5xuEdvv%2BA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36district: e0CS0nzroUTJmHyjf4Ysza8BokDedLC0TRdGMKk3W/9utX7gqblRpqUjmI1sc/KkWasuo7nOnBhJS5K8Content-Length: 19793Host: bapakopla.live
Source: global trafficHTTP traffic detected: POST /17415-what-really-happened-channels-123-west.html?hpdws8f=7AbxF2FXIPIxxWQMTECCPsMmPZh03scavf8NeY0rpgRYZAlnWnxqk5KbuG6i0hfMaKOU2mo%2BiB%2BJA5xuEdvv%2BA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36district: e0CS0nzroUTJmHyjf4Ysza8BokDedLC0TRdGMKk3W/9utX7gqblRpqUjmI1sc/KkWasuo7nOnBhJS5K8Content-Length: 73175Host: bapakopla.live
Source: global trafficHTTP traffic detected: POST /17415-what-really-happened-channels-123-west.html?hpdws8f=7AbxF2FXIPIxxWQMTECCPsMmPZh03scavf8NeY0rpgRYZAlnWnxqk5KbuG6i0hfMaKOU2mo%2BiB%2BJA5xuEdvv%2BA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36district: e0CS0nzroUTJmHyjf4Ysza8BokDedLC0TRdGMKk3W/9utX7gqblRpqUjmI1sc/KkWasuo7nOnBhJS5K8Content-Length: 35Host: bapakopla.live
Source: global trafficHTTP traffic detected: POST /17415-what-really-happened-channels-123-west.html?hpdws8f=7AbxF2FXIPIxxWQMTECCPsMmPZh03scavf8NeY0rpgRYZAlnWnxqk5KbuG6i0hfMaKOU2mo%2BiB%2BJA5xuEdvv%2BA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36district: e0CS0nzroUTJmHyjf4Ysza8BokDedLC0TRdGMKk3W/9utX7gqblRpqUjmI1sc/KkWasuo7nOnBhJS5K8Content-Length: 695885Host: bapakopla.live
Source: global trafficHTTP traffic detected: POST /17415-what-really-happened-channels-123-west.html?hpdws8f=7AbxF2FXIPIxxWQMTECCPsMmPZh03scavf8NeY0rpgRYZAlnWnxqk5KbuG6i0hfMaKOU2mo%2BiB%2BJA5xuEdvv%2BA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36district: e0CS0nzroUTJmHyjf4Ysza8BokDedLC0TRdGMKk3W/9utX7gqblRpqUjmI1sc/KkWasuo7nOnBhJS5K8Content-Length: 745Host: bapakopla.live
Source: global trafficHTTP traffic detected: POST /17415-what-really-happened-channels-123-west.html?hpdws8f=7AbxF2FXIPIxxWQMTECCPsMmPZh03scavf8NeY0rpgRYZAlnWnxqk5KbuG6i0hfMaKOU2mo%2BiB%2BJA5xuEdvv%2BA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36district: e0CS0nzroUTJmHyjf4Ysza8BokDedLC0TRdGMKk3W/9utX7gqblRpqUjmI1sc/KkWasuo7nOnBhJS5K8Content-Length: 212Host: bapakopla.live
Source: global trafficHTTP traffic detected: POST /17415-what-really-happened-channels-123-west.html?hpdws8f=7AbxF2FXIPIxxWQMTECCPsMmPZh03scavf8NeY0rpgRYZAlnWnxqk5KbuG6i0hfMaKOU2mo%2BiB%2BJA5xuEdvv%2BA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36district: e0CS0nzroUTJmHyjf4Ysza8BokDedLC0TRdGMKk3W/9utX7gqblRpqUjmI1sc/KkWasuo7nOnBhJS5K8Content-Length: 380Host: bapakopla.live
Source: global trafficHTTP traffic detected: POST /17415-what-really-happened-channels-123-west.html?hpdws8f=7AbxF2FXIPIxxWQMTECCPsMmPZh03scavf8NeY0rpgRYZAlnWnxqk5KbuG6i0hfMaKOU2mo%2BiB%2BJA5xuEdvv%2BA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36district: e0CS0nzroUTJmHyjf4Ysza8BokDedLC0TRdGMKk3W/9utX7gqblRpqUjmI1sc/KkWasuo7nOnBhJS5K8Content-Length: 19793Host: bapakopla.live
Source: global trafficHTTP traffic detected: POST /17415-what-really-happened-channels-123-west.html?hpdws8f=7AbxF2FXIPIxxWQMTECCPsMmPZh03scavf8NeY0rpgRYZAlnWnxqk5KbuG6i0hfMaKOU2mo%2BiB%2BJA5xuEdvv%2BA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36district: e0CS0nzroUTJmHyjf4Ysza8BokDedLC0TRdGMKk3W/9utX7gqblRpqUjmI1sc/KkWasuo7nOnBhJS5K8Content-Length: 73117Host: bapakopla.live
Source: global trafficHTTP traffic detected: POST /17415-what-really-happened-channels-123-west.html?hpdws8f=7AbxF2FXIPIxxWQMTECCPsMmPZh03scavf8NeY0rpgRYZAlnWnxqk5KbuG6i0hfMaKOU2mo%2BiB%2BJA5xuEdvv%2BA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36district: e0CS0nzroUTJmHyjf4Ysza8BokDedLC0TRdGMKk3W/9utX7gqblRpqUjmI1sc/KkWasuo7nOnBhJS5K8Content-Length: 35Host: bapakopla.live
Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.11
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.11
Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.209
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.11
Source: unknownTCP traffic detected without corresponding DNS query: 2.22.50.136
Source: unknownTCP traffic detected without corresponding DNS query: 2.22.50.136
Source: unknownTCP traffic detected without corresponding DNS query: 23.57.90.153
Source: unknownTCP traffic detected without corresponding DNS query: 23.57.90.153
Source: unknownTCP traffic detected without corresponding DNS query: 23.57.90.153
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.176.193
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.176.193
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.176.193
Source: unknownTCP traffic detected without corresponding DNS query: 23.57.90.153
Source: unknownTCP traffic detected without corresponding DNS query: 23.57.90.153
Source: unknownTCP traffic detected without corresponding DNS query: 23.57.90.153
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.176.193
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.176.193
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.176.193
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.176.193
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.176.193
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.176.193
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.176.193
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.176.193
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.176.193
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.176.193
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.176.193
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.176.193
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.176.193
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.176.193
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.176.193
Source: unknownTCP traffic detected without corresponding DNS query: 23.57.90.153
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.176.193
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.176.193
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.176.193
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.176.193
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.176.193
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.176.193
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.176.193
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.176.193
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.176.193
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.176.193
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.176.193
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.176.193
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.176.193
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF8E77D3F20 recv,14_2_00007FF8E77D3F20
Source: global trafficHTTP traffic detected: GET /edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531 HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global trafficHTTP traffic detected: GET /bundles/v1/edgeChromium/latest/SSR-extension.d0b81df0decfa0886dfe.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.45sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 100sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: */*sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=3FDC43B61D0643B49012AFCCEE58125B.RefC=2025-01-30T16:43:05Z; USRLOC=; MUID=3D2B5C354AB86677373249B14BDA678F; MUIDB=3D2B5C354AB86677373249B14BDA678F; _EDGE_S=F=1&SID=0424BF88906766732612AA0C91976751; _EDGE_V=1
Source: global trafficHTTP traffic detected: GET /bundles/v1/edgeChromium/latest/web-worker.8ed343c804e9069b52b4.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 1.45sec-ch-ua-bitness: "64"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 200sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: */*sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: workerReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=3FDC43B61D0643B49012AFCCEE58125B.RefC=2025-01-30T16:43:05Z; USRLOC=; MUID=3D2B5C354AB86677373249B14BDA678F; MUIDB=3D2B5C354AB86677373249B14BDA678F; _EDGE_S=F=1&SID=0424BF88906766732612AA0C91976751; _EDGE_V=1
Source: global trafficHTTP traffic detected: GET /bundles/v1/edgeChromium/latest/vendors.a8bc96a9c4710d87d862.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global trafficHTTP traffic detected: GET /bundles/v1/edgeChromium/latest/microsoft.7fc3109769390e0f7912.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global trafficHTTP traffic detected: GET /bundles/v1/edgeChromium/latest/common.eee185b1083ffdf6d054.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global trafficHTTP traffic detected: GET /bundles/v1/edgeChromium/latest/experience.026b9a80c7ff937f7d4f.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global trafficHTTP traffic detected: GET /crx/blobs/ASuc5ohfQPNzGo5SSihcSk6msC8CUKw5id-p0KCEkBKwK2LS4AjdrDP0wa1qjzCTaTWEfyM52ADmUAdPETYA5vgD87UPEj6gyG11hjsvMLHGmzQgJ9F5D8s8Lo0Lbai5BQYAxlKa5esPJXukyaicyq83JwZ0HIWqzrjN/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_86_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global trafficHTTP traffic detected: GET /statics/icons/favicon_newtabpage.png HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=3D2B5C354AB86677373249B14BDA678F; _EDGE_S=F=1&SID=0424BF88906766732612AA0C91976751; _EDGE_V=1
Source: global trafficHTTP traffic detected: GET /c.gif?rnd=1738255389930&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=3fdc43b61d0643b49012afccee58125b&activityId=3fdc43b61d0643b49012afccee58125b&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_ETH=1; USRLOC=; MUID=3D2B5C354AB86677373249B14BDA678F; _EDGE_S=F=1&SID=0424BF88906766732612AA0C91976751; _EDGE_V=1
Source: global trafficHTTP traffic detected: GET /b?rn=1738255389930&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=3D2B5C354AB86677373249B14BDA678F&cs_fpit=o&cs_fpdm=*null&cs_fpdt=*null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global trafficHTTP traffic detected: GET /b2?rn=1738255389930&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=3D2B5C354AB86677373249B14BDA678F&cs_fpit=o&cs_fpdm=*null&cs_fpdt=*null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: UID=1CC6b5c786b77b8a47ea4651738255391; XID=1CC6b5c786b77b8a47ea4651738255391
Source: global trafficHTTP traffic detected: GET /edge/ntp?locale=en-GB&title=New+tab&enableForceCache=true HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-viewport-height: 876sec-ch-ua-arch: "x86"sec-ch-viewport-width: 1232sec-ch-ua-platform-version: "10.0.0"downlink: 9.6sec-ch-ua-bitness: "64"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-model: ""sec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"device-memory: 8rtt: 150sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-full-version: "117.0.2045.47"sec-ch-dpr: 1ect: 4gAccept: */*sec-edge-ntp: {"back_block":0,"bg_cur":{},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"","show_greet":true,"vt_opened":false}Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=3FDC43B61D0643B49012AFCCEE58125B.RefC=2025-01-30T16:43:05Z; USRLOC=; MUID=3D2B5C354AB86677373249B14BDA678F; MUIDB=3D2B5C354AB86677373249B14BDA678F; _EDGE_S=F=1&SID=0424BF88906766732612AA0C91976751; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=517a087a-00f0-4a14-bd9c-6bc566699603; ai_session=B8mvYKAR6cnjHOsNufJrKq|1738255389925|1738255389925; sptmarket_restored=en-GB||us|en-us|en-us|en||cf=8|RefA=3FDC43B61D0643B49012AFCCEE58125B.RefC=2025-01-30T16:43:05Z
Source: global trafficHTTP traffic detected: GET /edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=2880&networkTimeoutSeconds=5&bgTaskNetworkTimeoutSeconds=8&ssrBasePageNavAgeMinutes=360&enableEmptySectionRoute=true&enableNavPreload=true&enableFallbackVerticalsFeed=true&noCacheLayoutTemplates=true&cacheSSRBasePageResponse=true&enableStaticAdsRouting=true&enableWidgetsRegion=true HTTP/1.1Host: ntp.msn.comConnection: keep-aliveCache-Control: max-age=0Accept: */*Service-Worker: scriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-edge-ntp: {"back_block":0,"bg_cur":{"configIndex":14,"imageId":"BB1msFQB","provider":"CMSImage","userSelected":false},"bg_img_typ":"bing","exp":["msQuickLinksDefaultOneRow","msShoppingWebAssistOnNtp","msShoppingHistogramsOnNtp","msEnableWinHPNewTabBackButtonFocusAndClose","msCustomMaxQuickLinks","msMaxQuickLinksAt20","msAllowThemeInstallationFromChromeStore","msEdgeSplitWindowPrivateTarget","msEdgeSplitWindowLinkMode"],"feed":0,"feed_dis":"onscroll","layout":1,"quick_links_opt":1,"sel_feed_piv":"myFeed","show_greet":true,"vt_opened":false,"wpo_nx":{"v":"2","wgt":{"src":"default"}}}Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: serviceworkerReferer: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: _C_Auth=; pglt-edgeChromium-dhp=547; sptmarket=en-GB||us|en-us|en-us|en||cf=8|RefA=3FDC43B61D0643B49012AFCCEE58125B.RefC=2025-01-30T16:43:05Z; USRLOC=; MUID=3D2B5C354AB86677373249B14BDA678F; MUIDB=3D2B5C354AB86677373249B14BDA678F; _EDGE_S=F=1&SID=0424BF88906766732612AA0C91976751; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=517a087a-00f0-4a14-bd9c-6bc566699603; ai_session=B8mvYKAR6cnjHOsNufJrKq|1738255389925|1738255389925; sptmarket_restored=en-GB||us|en-us|en-us|en||cf=8|RefA=3FDC43B61D0643B49012AFCCEE58125B.RefC=2025-01-30T16:43:05Z
Source: global trafficHTTP traffic detected: GET /c.gif?rnd=1738255389930&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=3fdc43b61d0643b49012afccee58125b&activityId=3fdc43b61d0643b49012afccee58125b&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=29C7DDB4AE5D4D598296E67465F85F29&MUID=3D2B5C354AB86677373249B14BDA678F HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=3D2B5C354AB86677373249B14BDA678F; _EDGE_S=F=1&SID=0424BF88906766732612AA0C91976751; _EDGE_V=1; SM=T
Source: global trafficDNS traffic detected: DNS query: bapakopla.live
Source: global trafficDNS traffic detected: DNS query: ntp.msn.com
Source: global trafficDNS traffic detected: DNS query: bzib.nelreports.net
Source: global trafficDNS traffic detected: DNS query: sb.scorecardresearch.com
Source: global trafficDNS traffic detected: DNS query: assets.msn.com
Source: global trafficDNS traffic detected: DNS query: c.msn.com
Source: global trafficDNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: global trafficDNS traffic detected: DNS query: api.msn.com
Source: unknownHTTP traffic detected: POST /17415-what-really-happened-channels-123-west.html?hpdws8f=7AbxF2FXIPIxxWQMTECCPsMmPZh03scavf8NeY0rpgRYZAlnWnxqk5KbuG6i0hfMaKOU2mo%2BiB%2BJA5xuEdvv%2BA%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Content-Length: 147Host: bapakopla.live
Source: GUP.exe, 0000000E.00000002.1413120900.0000017407DE5000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1472822488.0000024EC4593000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1774594758.0000000004D23000.00000004.00000800.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1739510907.000001DFAD91F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.1951690362.0000000004CD0000.00000004.00000800.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2238875875.0000000002781000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: GUP.exe, 0000000E.00000002.1413120900.0000017407DE5000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1472822488.0000024EC4593000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1774594758.0000000004D23000.00000004.00000800.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1739510907.000001DFAD91F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.1951690362.0000000004CD0000.00000004.00000800.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2238875875.0000000002781000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: GUP.exe, 0000000E.00000002.1413120900.0000017407DE5000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1472822488.0000024EC4593000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1774594758.0000000004D23000.00000004.00000800.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1739510907.000001DFAD91F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.1951690362.0000000004CD0000.00000004.00000800.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2238875875.0000000002781000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: javasign_test.exe, 00000019.00000003.2126443853.0000000007FFF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: javasign_test.exe, 00000019.00000003.2126443853.0000000007FFF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: javasign_test.exe, 00000019.00000003.2132985862.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2189447302.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2208631971.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2120833759.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2253354425.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2211431271.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2127525933.0000000007FC8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
Source: GUP.exe, 0000000E.00000002.1413120900.0000017407DE5000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1472822488.0000024EC4593000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1774594758.0000000004D23000.00000004.00000800.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1739510907.000001DFAD91F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.1951690362.0000000004CD0000.00000004.00000800.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2238875875.0000000002781000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: javasign_test.exe, 00000019.00000003.2126443853.0000000007FFF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: javasign_test.exe, 00000019.00000003.2137969834.00000000004D5000.00000004.00000020.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2177995459.00000000004D5000.00000004.00000020.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1879586902.00000000004D5000.00000004.00000020.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1897087534.00000000004D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
Source: GUP.exe, 0000000E.00000002.1413120900.0000017407DE5000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1472822488.0000024EC4593000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1774594758.0000000004D23000.00000004.00000800.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1739510907.000001DFAD91F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.1951690362.0000000004CD0000.00000004.00000800.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2238875875.0000000002781000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: GUP.exe, 0000000E.00000002.1413120900.0000017407DE5000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1472822488.0000024EC4593000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1774594758.0000000004D23000.00000004.00000800.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1739510907.000001DFAD91F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.1951690362.0000000004CD0000.00000004.00000800.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2238875875.0000000002781000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: GUP.exe, 0000000E.00000002.1413120900.0000017407DE5000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1472822488.0000024EC4593000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1774594758.0000000004D23000.00000004.00000800.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1739510907.000001DFAD91F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.1951690362.0000000004CD0000.00000004.00000800.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2238875875.0000000002781000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: javasign_test.exe, 00000019.00000003.2126443853.0000000007FFF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: javasign_test.exe, 00000019.00000003.2126443853.0000000007FFF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: javasign_test.exe, 00000019.00000003.2132985862.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2189447302.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2208631971.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2120833759.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2253354425.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2211431271.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2127525933.0000000007FC8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
Source: GUP.exe, 0000000E.00000002.1413120900.0000017407DE5000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1472822488.0000024EC4593000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1774594758.0000000004D23000.00000004.00000800.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1739510907.000001DFAD91F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.1951690362.0000000004CD0000.00000004.00000800.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2238875875.0000000002781000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: GUP.exe, 0000000E.00000002.1413120900.0000017407DE5000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1472822488.0000024EC4593000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1774594758.0000000004D23000.00000004.00000800.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1739510907.000001DFAD91F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.1951690362.0000000004CD0000.00000004.00000800.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2238875875.0000000002781000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: GUP.exe, 0000000E.00000002.1413120900.0000017407DE5000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1472822488.0000024EC4593000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1774594758.0000000004D23000.00000004.00000800.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1739510907.000001DFAD91F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.1951690362.0000000004CD0000.00000004.00000800.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2238875875.0000000002781000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: GUP.exe, 0000000E.00000002.1413120900.0000017407DE5000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1472822488.0000024EC4593000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1774594758.0000000004D23000.00000004.00000800.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1739510907.000001DFAD91F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.1951690362.0000000004CD0000.00000004.00000800.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2238875875.0000000002781000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: GUP.exe, 0000000E.00000002.1413120900.0000017407DE5000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1472822488.0000024EC4593000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1774594758.0000000004D23000.00000004.00000800.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1739510907.000001DFAD91F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.1951690362.0000000004CD0000.00000004.00000800.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2238875875.0000000002781000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: javasign_test.exe, 00000019.00000003.2126443853.0000000007FFF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: GUP.exe, 0000000E.00000002.1413120900.0000017407DE5000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1472822488.0000024EC4593000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1774594758.0000000004D23000.00000004.00000800.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1739510907.000001DFAD91F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.1951690362.0000000004CD0000.00000004.00000800.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2238875875.0000000002781000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: GUP.exe, 0000000E.00000002.1413120900.0000017407DE5000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1472822488.0000024EC4593000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1774594758.0000000004D23000.00000004.00000800.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1739510907.000001DFAD91F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.1951690362.0000000004CD0000.00000004.00000800.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2238875875.0000000002781000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: javasign_test.exe, 00000019.00000003.2126443853.0000000007FFF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: javasign_test.exe, 00000019.00000003.2068192039.0000000007FA3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://e5.i.lencr.org/0A
Source: javasign_test.exe, 00000019.00000003.2068192039.0000000007FA3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://e5.o.lencr.org0
Source: javasign_test.exe, 00000019.00000003.2132985862.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2189447302.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2208631971.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2120833759.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2253354425.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2126443853.0000000007FFF000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2211431271.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2127525933.0000000007FC8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: GUP.exe, 0000000E.00000002.1413120900.0000017407DE5000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1472822488.0000024EC4593000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1774594758.0000000004D23000.00000004.00000800.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1739510907.000001DFAD91F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.1951690362.0000000004CD0000.00000004.00000800.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2238875875.0000000002781000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
Source: GUP.exe, 0000000E.00000002.1413120900.0000017407DE5000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1472822488.0000024EC4593000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1774594758.0000000004D23000.00000004.00000800.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1739510907.000001DFAD91F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.1951690362.0000000004CD0000.00000004.00000800.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2238875875.0000000002781000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
Source: GUP.exe, 0000000E.00000002.1413120900.0000017407DE5000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1472822488.0000024EC4593000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1774594758.0000000004D23000.00000004.00000800.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1739510907.000001DFAD91F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.1951690362.0000000004CD0000.00000004.00000800.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2238875875.0000000002781000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0L
Source: GUP.exe, 0000000E.00000002.1413120900.0000017407DE5000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1472822488.0000024EC4593000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1774594758.0000000004D23000.00000004.00000800.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1739510907.000001DFAD91F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.1951690362.0000000004CD0000.00000004.00000800.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2238875875.0000000002781000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
Source: javasign_test.exe, 00000019.00000003.2126443853.0000000007FFF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: GUP.exe, 0000000E.00000002.1413120900.0000017407DE5000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1472822488.0000024EC4593000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1774594758.0000000004D23000.00000004.00000800.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1739510907.000001DFAD91F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.1951690362.0000000004CD0000.00000004.00000800.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2238875875.0000000002781000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: GUP.exe, 0000000E.00000002.1413120900.0000017407DE5000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1472822488.0000024EC4593000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1774594758.0000000004D23000.00000004.00000800.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1739510907.000001DFAD91F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.1951690362.0000000004CD0000.00000004.00000800.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2238875875.0000000002781000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://s2.symcb.com0
Source: GUP.exe, 0000000E.00000002.1413120900.0000017407DE5000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1472822488.0000024EC4593000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1774594758.0000000004D23000.00000004.00000800.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1739510907.000001DFAD91F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.1951690362.0000000004CD0000.00000004.00000800.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2238875875.0000000002781000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: GUP.exe, 0000000E.00000002.1413120900.0000017407DE5000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1472822488.0000024EC4593000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1774594758.0000000004D23000.00000004.00000800.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1739510907.000001DFAD91F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.1951690362.0000000004CD0000.00000004.00000800.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2238875875.0000000002781000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crt0
Source: GUP.exe, 0000000E.00000002.1413120900.0000017407DE5000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1472822488.0000024EC4593000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1774594758.0000000004D23000.00000004.00000800.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1739510907.000001DFAD91F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.1951690362.0000000004CD0000.00000004.00000800.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2238875875.0000000002781000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://sv.symcd.com0&
Source: GUP.exe, 0000000E.00000002.1413120900.0000017407DE5000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1472822488.0000024EC4593000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1774594758.0000000004D23000.00000004.00000800.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1739510907.000001DFAD91F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.1951690362.0000000004CD0000.00000004.00000800.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2238875875.0000000002781000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2254276363.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: http://www.???.xx/?search=%s
Source: GUP.exe, 0000000E.00000002.1413120900.0000017407DE5000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1472822488.0000024EC4593000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1774594758.0000000004D23000.00000004.00000800.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1739510907.000001DFAD91F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.1951690362.0000000004CD0000.00000004.00000800.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2238875875.0000000002781000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: GUP.exe, 0000000E.00000002.1413120900.0000017407D8F000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1472822488.0000024EC453D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1774594758.0000000004CDA000.00000004.00000800.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1739510907.000001DFAD8C9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.1951690362.0000000004C87000.00000004.00000800.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2238875875.0000000002738000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.info-zip.org/
Source: GUP.exe, 0000000E.00000002.1413120900.0000017407DE5000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1472822488.0000024EC4593000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1774594758.0000000004D23000.00000004.00000800.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1739510907.000001DFAD91F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.1951690362.0000000004CD0000.00000004.00000800.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2238875875.0000000002781000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2254276363.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: http://www.softwareok.com
Source: javasign_test.exe, 00000019.00000000.1699052409.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: http://www.softwareok.com/?Download=Find.Same.Images.OK
Source: javasign_test.exe, 00000019.00000000.1699052409.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: http://www.softwareok.com/?Freeware/Find.Same.Images.OK
Source: javasign_test.exe, 00000019.00000000.1699052409.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: http://www.softwareok.com/?Freeware/Find.Same.Images.OK/History
Source: javasign_test.exe, 00000019.00000000.1699052409.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: http://www.softwareok.com/?seite=faq-Find.Same.Images.OK&faq=0
Source: GUP.exe, 0000000E.00000002.1413120900.0000017407DE5000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1472822488.0000024EC4593000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1774594758.0000000004D23000.00000004.00000800.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1739510907.000001DFAD91F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.1951690362.0000000004CD0000.00000004.00000800.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2238875875.0000000002781000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2254276363.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: http://www.softwareok.de
Source: javasign_test.exe, 00000019.00000000.1699052409.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: http://www.softwareok.de/?Download=Find.Same.Images.OK
Source: javasign_test.exe, 00000019.00000000.1699052409.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: http://www.softwareok.de/?Freeware/Find.Same.Images.OK
Source: javasign_test.exe, 00000019.00000000.1699052409.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: http://www.softwareok.de/?Freeware/Find.Same.Images.OK/History
Source: javasign_test.exe, 00000019.00000000.1699052409.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: http://www.softwareok.de/?seite=faq-Find.Same.Images.OK&faq=0
Source: javasign_test.exe, 00000019.00000002.2238875875.0000000002781000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.surfok.de/
Source: GUP.exe, 0000000E.00000002.1413120900.0000017407DE5000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1472822488.0000024EC4593000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1774594758.0000000004D23000.00000004.00000800.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1739510907.000001DFAD91F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.1951690362.0000000004CD0000.00000004.00000800.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2238875875.0000000002781000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/cps0(
Source: GUP.exe, 0000000E.00000002.1413120900.0000017407DE5000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1472822488.0000024EC4593000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1774594758.0000000004D23000.00000004.00000800.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1739510907.000001DFAD91F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.1951690362.0000000004CD0000.00000004.00000800.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2238875875.0000000002781000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/rpa00
Source: GUP.exe, 0000000E.00000002.1413120900.0000017407DE5000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1472822488.0000024EC4593000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1774594758.0000000004D23000.00000004.00000800.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1739510907.000001DFAD91F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.1951690362.0000000004CD0000.00000004.00000800.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2238875875.0000000002781000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.vmware.com/0
Source: GUP.exe, 0000000E.00000002.1413120900.0000017407DE5000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1472822488.0000024EC4593000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1774594758.0000000004D23000.00000004.00000800.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1739510907.000001DFAD91F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.1951690362.0000000004CD0000.00000004.00000800.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2238875875.0000000002781000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.vmware.com/0/
Source: javasign_test.exe, 00000019.00000003.2068192039.0000000007FA3000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2126443853.0000000007FFF000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2068192039.0000000007FA7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
Source: javasign_test.exe, 00000019.00000003.2068192039.0000000007FA3000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2126443853.0000000007FFF000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2068192039.0000000007FA7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
Source: javasign_test.exe, 00000019.00000003.1929888666.00000000008D9000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1930036035.00000000008D9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: javasign_test.exe, 00000019.00000003.2132985862.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2068192039.0000000007FB0000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2189447302.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2208631971.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2120833759.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2253354425.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2211431271.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2127525933.0000000007FC8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/common-segments.f68ee5aa19f6973c90eb.js
Source: javasign_test.exe, 00000019.00000003.2132985862.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2068192039.0000000007FB0000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2189447302.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2208631971.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2120833759.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2253354425.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2211431271.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2127525933.0000000007FC8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/common-segments.f68ee5aa19f6973c90eb.jsa.js
Source: javasign_test.exe, 00000019.00000003.2132985862.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2189447302.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2208631971.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2120833759.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2253354425.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2211431271.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2127525933.0000000007FC8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/common-settings-edgenext.e38a5b1c655db7a449de.
Source: javasign_test.exe, 00000019.00000003.2132985862.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2068192039.0000000007FB0000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2189447302.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2208631971.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2120833759.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2253354425.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2211431271.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2127525933.0000000007FC8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/toast-wc.a6ec0994c38d3a2ed778.js
Source: javasign_test.exe, 00000019.00000003.2132985862.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2068192039.0000000007FB0000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2189447302.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2208631971.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2120833759.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2253354425.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2211431271.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2127525933.0000000007FC8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/toast-wc.a6ec0994c38d3a2ed778.js016b.jsN
Source: javasign_test.exe, 00000019.00000003.2119041666.00000000008FA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/service/news/feed/pages/weblayout?User=m-3D2B5C354AB86677373249B14BDA678F&act
Source: javasign_test.exe, 00000019.00000003.2177995459.0000000000515000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bapakopla.live/
Source: javasign_test.exe, 00000019.00000002.2237602703.000000000084E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://bapakopla.live/17415-what-really-happened-channels-123-west.html
Source: javasign_test.exe, 00000019.00000003.1898115248.0000000000894000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2237602703.000000000088C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://bapakopla.live/17415-what-really-happened-channels-123-west.html?hpdws8f=7AbxF2FXIPIxxWQMTEC
Source: javasign_test.exe, 00000019.00000002.2237602703.000000000084E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://bapakopla.live/17415-what-really-happened-channels-123-west.htmlJ
Source: javasign_test.exe, 00000019.00000003.1897087534.0000000000515000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bapakopla.live/Bz
Source: javasign_test.exe, 00000019.00000002.2236776539.0000000000515000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bapakopla.live/Vz
Source: javasign_test.exe, 00000019.00000002.2236776539.0000000000515000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bapakopla.live/jE8
Source: javasign_test.exe, 00000019.00000002.2236776539.0000000000515000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bapakopla.live/rE
Source: javasign_test.exe, 00000019.00000002.2236776539.0000000000515000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bapakopla.live/sJz
Source: javasign_test.exe, 00000019.00000003.2177995459.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1888287976.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2236776539.00000000004C0000.00000004.00000020.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1880135664.00000000004C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bapakopla.live:443/17415-what-really-happened-channels-123-west.html?hpdws8f=7AbxF2FXIPIxxWQ
Source: javasign_test.exe, 00000019.00000003.2177995459.00000000004D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bapakopla.live:443P
Source: javasign_test.exe, 00000019.00000003.1929888666.00000000008D9000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1930036035.00000000008D9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: javasign_test.exe, 00000019.00000003.1929888666.00000000008D9000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1930036035.00000000008D9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: javasign_test.exe, 00000019.00000003.1929888666.00000000008D9000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1930036035.00000000008D9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: GUP.exeString found in binary or memory: https://curl.se/
Source: GUP.exe, 0000000E.00000002.1406296897.0000017400E6E000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000E.00000002.1414831459.00007FF8E7870000.00000002.00000001.01000000.00000005.sdmp, GUP.exe, 0000000F.00000002.1475041257.00007FF8E7640000.00000002.00000001.01000000.00000008.sdmp, GUP.exe, 00000016.00000002.1742288022.00007FF8E7740000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://curl.se/V
Source: GUP.exe, 00000016.00000002.1742189864.00007FF8E771B000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: GUP.exeString found in binary or memory: https://curl.se/docs/alt-svc.html#
Source: GUP.exeString found in binary or memory: https://curl.se/docs/copyright.html
Source: GUP.exe, 0000000E.00000002.1406296897.0000017400E6E000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000E.00000002.1414831459.00007FF8E7870000.00000002.00000001.01000000.00000005.sdmp, GUP.exe, 0000000F.00000002.1475041257.00007FF8E7640000.00000002.00000001.01000000.00000008.sdmp, GUP.exe, 00000016.00000002.1742288022.00007FF8E7740000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://curl.se/docs/copyright.htmlD
Source: GUP.exe, GUP.exe, 0000000F.00000002.1474955126.00007FF8E761B000.00000002.00000001.01000000.00000008.sdmp, GUP.exe, 00000016.00000002.1742189864.00007FF8E771B000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
Source: GUP.exeString found in binary or memory: https://curl.se/docs/hsts.html#
Source: GUP.exe, GUP.exe, 0000000F.00000002.1474955126.00007FF8E761B000.00000002.00000001.01000000.00000008.sdmp, GUP.exe, 00000016.00000002.1742189864.00007FF8E771B000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: GUP.exeString found in binary or memory: https://curl.se/docs/http-cookies.html#
Source: GUP.exe, 0000000E.00000002.1413120900.0000017407DE5000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1472822488.0000024EC4593000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1774594758.0000000004D23000.00000004.00000800.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1739510907.000001DFAD91F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.1951690362.0000000004CD0000.00000004.00000800.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2238875875.0000000002781000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
Source: GUP.exe, 0000000E.00000002.1413120900.0000017407DE5000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1472822488.0000024EC4593000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1774594758.0000000004D23000.00000004.00000800.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1739510907.000001DFAD91F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.1951690362.0000000004CD0000.00000004.00000800.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2238875875.0000000002781000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0
Source: javasign_test.exe, 00000019.00000003.2093032418.0000000007F9F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: javasign_test.exe, 00000019.00000003.1929888666.00000000008D9000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1930036035.00000000008D9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
Source: javasign_test.exe, 00000019.00000003.1929888666.00000000008D9000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1930036035.00000000008D9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: javasign_test.exe, 00000019.00000003.1929888666.00000000008D9000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1930036035.00000000008D9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: javasign_test.exe, 00000019.00000003.2093032418.0000000007F81000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ecs.nel.measure.office.net/?TenantId=Edge&DesusertionEndpoint=Edge-Prod-EWR30r1&FrontEnd=AFD
Source: javasign_test.exe, 00000019.00000003.2127525933.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2093032418.0000000007FB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://msn.com
Source: javasign_test.exe, 00000019.00000003.2068192039.0000000007FB0000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2093032418.0000000007FB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://msn.comP
Source: GUP.exeString found in binary or memory: https://notepad-plus-plus.org/downloads/
Source: GUP.exe, 0000000E.00000002.1414525765.00007FF60CDC8000.00000002.00000001.01000000.00000004.sdmp, GUP.exe, 0000000E.00000000.1394870114.00007FF60CDC8000.00000002.00000001.01000000.00000004.sdmp, GUP.exe, 0000000F.00000000.1405783439.00007FF7F5F08000.00000002.00000001.01000000.00000007.sdmp, GUP.exe, 0000000F.00000002.1474561861.00007FF7F5F08000.00000002.00000001.01000000.00000007.sdmp, GUP.exe, 00000016.00000000.1671349601.00007FF7F5F08000.00000002.00000001.01000000.00000007.sdmp, GUP.exe, 00000016.00000002.1741952203.00007FF7F5F08000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: https://notepad-plus-plus.org/downloads/openid_moreinfohttps://npp-user-manual.org/docs/upgrading/#n
Source: GUP.exeString found in binary or memory: https://npp-user-manual.org/docs/upgrading/#new-version-available-but-auto-updater-find-nothing
Source: javasign_test.exe, 00000019.00000003.2132985862.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2189447302.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2208631971.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2120833759.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2253354425.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2093828757.00000000008D6000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2093032418.0000000007F81000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2093618074.00000000008EE000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2119041666.00000000008FA000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2211431271.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2127525933.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2093032418.0000000007F9F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.com
Source: javasign_test.exe, 00000019.00000003.2068192039.0000000007FA3000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2119041666.00000000008FA000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2118511502.0000000007FA8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.com/
Source: javasign_test.exe, 00000019.00000003.2068192039.0000000007FB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&start
Source: javasign_test.exe, 00000019.00000003.2068192039.0000000007FA3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.com/tt
Source: javasign_test.exe, 00000019.00000003.2093618074.00000000008EE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.comAccess-Control-Expose-Headers:
Source: javasign_test.exe, 00000019.00000003.2118511502.0000000007F97000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.comreport-to
Source: javasign_test.exe, 00000019.00000003.2093828757.00000000008D6000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2211431271.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2127525933.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2093032418.0000000007F9F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.comreport-to:
Source: javasign_test.exe, 00000019.00000003.2118511502.0000000007F97000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.comsec-fetch-sitesame-sitesec-fetch-modecorssec-fetch-destemptyrefererhttps://ntp.ms
Source: javasign_test.exe, 00000019.00000003.2135410886.00000000085A3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org
Source: javasign_test.exe, 00000019.00000003.2135410886.00000000085AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: javasign_test.exe, 00000019.00000003.2135410886.00000000085AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GNzbMA16ssY5
Source: GUP.exe, 0000000E.00000002.1413120900.0000017407DE5000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1472822488.0000024EC4593000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1774594758.0000000004D23000.00000004.00000800.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1739510907.000001DFAD91F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.1951690362.0000000004CD0000.00000004.00000800.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2238875875.0000000002781000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
Source: javasign_test.exe, 00000019.00000003.1929888666.00000000008D9000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1930036035.00000000008D9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
Source: javasign_test.exe, 00000019.00000003.1929888666.00000000008D9000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1930036035.00000000008D9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: javasign_test.exe, 00000019.00000003.2135410886.00000000085A3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
Source: javasign_test.exe, 00000019.00000003.2135410886.00000000085AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.HCe2hc5EPKfq
Source: javasign_test.exe, 00000019.00000003.2135410886.00000000085AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.oX6J3D7V9Efv
Source: javasign_test.exe, 00000019.00000003.2135410886.00000000085AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: javasign_test.exe, 00000019.00000003.2135410886.00000000085AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: javasign_test.exe, 00000019.00000003.2135410886.00000000085AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: javasign_test.exe, 00000019.00000003.2135410886.00000000085AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: unknownNetwork traffic detected: HTTP traffic on port 50013 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49981
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49980
Source: unknownNetwork traffic detected: HTTP traffic on port 50007 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50056
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50055
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50058
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50057
Source: unknownNetwork traffic detected: HTTP traffic on port 50059 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50094 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50059
Source: unknownNetwork traffic detected: HTTP traffic on port 50022 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50061
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50060
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50063
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50062
Source: unknownNetwork traffic detected: HTTP traffic on port 50068 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50102 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50045 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49978
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50106
Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50105
Source: unknownNetwork traffic detected: HTTP traffic on port 49996 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50107
Source: unknownNetwork traffic detected: HTTP traffic on port 50010 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50060 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50018 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50064
Source: unknownNetwork traffic detected: HTTP traffic on port 50091 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50100
Source: unknownNetwork traffic detected: HTTP traffic on port 50056 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50102
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50068
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50101
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50103
Source: unknownNetwork traffic detected: HTTP traffic on port 50074 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50107 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50004 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49981 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50074
Source: unknownNetwork traffic detected: HTTP traffic on port 49978 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50034 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50015 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50075
Source: unknownNetwork traffic detected: HTTP traffic on port 49989 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50057 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50096 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50001 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50099 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50028 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50031 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49992 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50100 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50007
Source: unknownNetwork traffic detected: HTTP traffic on port 50062 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50006
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50008
Source: unknownNetwork traffic detected: HTTP traffic on port 49677 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50087
Source: unknownNetwork traffic detected: HTTP traffic on port 50093 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50001
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50000
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50003
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50002
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50005
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50004
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50090
Source: unknownNetwork traffic detected: HTTP traffic on port 50048 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50091
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50094
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50093
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50096
Source: unknownNetwork traffic detected: HTTP traffic on port 50006 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50095
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
Source: unknownNetwork traffic detected: HTTP traffic on port 50105 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50018
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50017
Source: unknownNetwork traffic detected: HTTP traffic on port 50061 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49676 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50017 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50010
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50098
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50097
Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50055 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50011
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50099
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50014
Source: unknownNetwork traffic detected: HTTP traffic on port 50090 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50013
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50015
Source: unknownNetwork traffic detected: HTTP traffic on port 50075 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50106 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50003 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49980 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50087 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50028
Source: unknownNetwork traffic detected: HTTP traffic on port 50064 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50035 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50008 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50014 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50021
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50022
Source: unknownNetwork traffic detected: HTTP traffic on port 50095 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50027
Source: unknownNetwork traffic detected: HTTP traffic on port 50098 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50000 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50021 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50030
Source: unknownNetwork traffic detected: HTTP traffic on port 50103 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49995 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50063 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50011 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50031
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50034
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50033
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50035
Source: unknownNetwork traffic detected: HTTP traffic on port 50005 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49998
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49996
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49995
Source: unknownNetwork traffic detected: HTTP traffic on port 49998 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49992
Source: unknownNetwork traffic detected: HTTP traffic on port 50033 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50045
Source: unknownNetwork traffic detected: HTTP traffic on port 50058 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50048
Source: unknownNetwork traffic detected: HTTP traffic on port 50097 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50002 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50027 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50030 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49989
Source: unknownNetwork traffic detected: HTTP traffic on port 50101 -> 443
Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.9:49978 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.9:49980 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.9:49981 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.9:50045 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.9:50074 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.9:50087 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.9:50090 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.9:50091 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.9:50093 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.9:50094 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.9:50095 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.9:50096 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.9:50097 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.9:50098 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.9:50099 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.9:50100 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.9:50101 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.9:50102 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.9:50103 version: TLS 1.2
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF8E77D9CE0 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,14_2_00007FF8E77D9CE0
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF8E75A9CE0 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,15_2_00007FF8E75A9CE0

System Summary

barindex
PE file has a writeable .text section
Source: ISRT.dll.3.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeCode function: 4_2_00007FF60D631AD04_2_00007FF60D631AD0
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeCode function: 4_2_00007FF60D63D3084_2_00007FF60D63D308
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeCode function: 4_2_00007FF60D6442FC4_2_00007FF60D6442FC
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeCode function: 4_2_00007FF60D6342304_2_00007FF60D634230
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeCode function: 4_2_00007FF60D634E104_2_00007FF60D634E10
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeCode function: 4_2_00007FF60D63CC644_2_00007FF60D63CC64
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeCode function: 4_2_00007FF60D63F11C4_2_00007FF60D63F11C
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeCode function: 4_2_00007FF60D63FCE44_2_00007FF60D63FCE4
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF60CD3A5A014_2_00007FF60CD3A5A0
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF60CD2CD8014_2_00007FF60CD2CD80
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF60CD3B72014_2_00007FF60CD3B720
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF60CDA270814_2_00007FF60CDA2708
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF60CD6E6A414_2_00007FF60CD6E6A4
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF60CD8902014_2_00007FF60CD89020
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF60CD837D814_2_00007FF60CD837D8
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF60CD79FC014_2_00007FF60CD79FC0
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF60CD4FFC014_2_00007FF60CD4FFC0
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF60CD43F4014_2_00007FF60CD43F40
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF60CD57F4014_2_00007FF60CD57F40
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF60CD4590014_2_00007FF60CD45900
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF60CDA18E414_2_00007FF60CDA18E4
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF60CD3788014_2_00007FF60CD37880
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF60CD8D22414_2_00007FF60CD8D224
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF60CD2122014_2_00007FF60CD21220
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF60CD47A3014_2_00007FF60CD47A30
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF60CD921F814_2_00007FF60CD921F8
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF60CD6D9EC14_2_00007FF60CD6D9EC
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF60CD3D9D014_2_00007FF60CD3D9D0
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF60CD8E18414_2_00007FF60CD8E184
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF60CD4B98014_2_00007FF60CD4B980
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF60CD2716014_2_00007FF60CD27160
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF60CD53B3014_2_00007FF60CD53B30
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF60CD46AE014_2_00007FF60CD46AE0
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF60CD982EC14_2_00007FF60CD982EC
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF60CD35AC014_2_00007FF60CD35AC0
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF60CD9A2BC14_2_00007FF60CD9A2BC
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF60CD93AA014_2_00007FF60CD93AA0
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF60CD83A5C14_2_00007FF60CD83A5C
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF60CD96BFC14_2_00007FF60CD96BFC
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF60CD2BBE014_2_00007FF60CD2BBE0
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF60CD8C3DC14_2_00007FF60CD8C3DC
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF60CD6F35C14_2_00007FF60CD6F35C
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF60CD2D37014_2_00007FF60CD2D370
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF60CD504E014_2_00007FF60CD504E0
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF60CD284F014_2_00007FF60CD284F0
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF60CD594B814_2_00007FF60CD594B8
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF60CD29CC014_2_00007FF60CD29CC0
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF60CD3DC4014_2_00007FF60CD3DC40
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF8E77D594014_2_00007FF8E77D5940
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF8E782F0E414_2_00007FF8E782F0E4
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF8E77D678414_2_00007FF8E77D6784
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF8E77E2FA014_2_00007FF8E77E2FA0
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF8E7830FE014_2_00007FF8E7830FE0
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF8E77D5F2014_2_00007FF8E77D5F20
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF8E77EBF2014_2_00007FF8E77EBF20
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF8E78466E814_2_00007FF8E78466E8
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF8E77D8EF014_2_00007FF8E77D8EF0
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF8E784660414_2_00007FF8E7846604
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF8E780E58014_2_00007FF8E780E580
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF8E783B5A814_2_00007FF8E783B5A8
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF8E77F8DA014_2_00007FF8E77F8DA0
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF8E783159C14_2_00007FF8E783159C
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF8E7833CF814_2_00007FF8E7833CF8
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF8E780152014_2_00007FF8E7801520
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF8E77D9CE014_2_00007FF8E77D9CE0
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF8E77E942014_2_00007FF8E77E9420
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF8E782EBE414_2_00007FF8E782EBE4
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF8E77EB2D014_2_00007FF8E77EB2D0
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF8E77FD99014_2_00007FF8E77FD990
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF8E784697C14_2_00007FF8E784697C
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF8E784013414_2_00007FF8E7840134
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF7F5EE270815_2_00007FF7F5EE2708
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF7F5EAE6A415_2_00007FF7F5EAE6A4
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF7F5E7A5A015_2_00007FF7F5E7A5A0
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF7F5E6CD8015_2_00007FF7F5E6CD80
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF7F5EE18E415_2_00007FF7F5EE18E4
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF7F5E7788015_2_00007FF7F5E77880
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF7F5EC902015_2_00007FF7F5EC9020
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF7F5EC37D815_2_00007FF7F5EC37D8
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF7F5E8FFC015_2_00007FF7F5E8FFC0
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF7F5EB9FC015_2_00007FF7F5EB9FC0
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF7F5E83F4015_2_00007FF7F5E83F40
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF7F5E7B72015_2_00007FF7F5E7B720
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF7F5ED82EC15_2_00007FF7F5ED82EC
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF7F5EDA2BC15_2_00007FF7F5EDA2BC
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF7F5E75AC015_2_00007FF7F5E75AC0
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF7F5ED3AA015_2_00007FF7F5ED3AA0
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF7F5EC3A5C15_2_00007FF7F5EC3A5C
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF7F5ECD22415_2_00007FF7F5ECD224
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF7F5E6122015_2_00007FF7F5E61220
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF7F5ED21F815_2_00007FF7F5ED21F8
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF7F5EAD9EC15_2_00007FF7F5EAD9EC
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF7F5E7D9D015_2_00007FF7F5E7D9D0
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF7F5ECE18415_2_00007FF7F5ECE184
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF7F5E8B98015_2_00007FF7F5E8B980
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF7F5E6716015_2_00007FF7F5E67160
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF7F5E684F015_2_00007FF7F5E684F0
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF7F5E904E015_2_00007FF7F5E904E0
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF7F5E994B815_2_00007FF7F5E994B8
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF7F5E69CC015_2_00007FF7F5E69CC0
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF7F5E7DC4015_2_00007FF7F5E7DC40
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF7F5ED6BFC15_2_00007FF7F5ED6BFC
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF7F5ECC3DC15_2_00007FF7F5ECC3DC
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF7F5E6BBE015_2_00007FF7F5E6BBE0
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF7F5E6D37015_2_00007FF7F5E6D370
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF7F5EAF35C15_2_00007FF7F5EAF35C
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF8E75A594015_2_00007FF8E75A5940
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF8E75FF0E415_2_00007FF8E75FF0E4
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF8E75A5F2015_2_00007FF8E75A5F20
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF8E75BBF2015_2_00007FF8E75BBF20
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF8E7600FE015_2_00007FF8E7600FE0
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF8E75B2FA015_2_00007FF8E75B2FA0
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF8E75A678415_2_00007FF8E75A6784
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF8E761660415_2_00007FF8E7616604
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF8E76166E815_2_00007FF8E76166E8
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF8E75A8EF015_2_00007FF8E75A8EF0
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF8E75D152015_2_00007FF8E75D1520
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF8E7603CF815_2_00007FF8E7603CF8
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF8E760B5A815_2_00007FF8E760B5A8
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF8E75C8DA015_2_00007FF8E75C8DA0
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF8E760159C15_2_00007FF8E760159C
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF8E75DE58015_2_00007FF8E75DE580
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF8E75B942015_2_00007FF8E75B9420
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF8E75A9CE015_2_00007FF8E75A9CE0
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF8E75FEBE415_2_00007FF8E75FEBE4
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF8E75BB2D015_2_00007FF8E75BB2D0
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF8E761013415_2_00007FF8E7610134
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF8E75CD99015_2_00007FF8E75CD990
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF8E761697C15_2_00007FF8E761697C
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\javasign_test.exe B22BF1210B5FD173A210EBFA9092390AA0513C41E1914CBE161EB547F049EF91
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: String function: 00007FF8E7803740 appears 220 times
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: String function: 00007FF8E780CD30 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: String function: 00007FF8E780CC10 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: String function: 00007FF8E77F81F0 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: String function: 00007FF8E78038B0 appears 156 times
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: String function: 00007FF8E75DCC10 appears 34 times
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: String function: 00007FF8E75DCD30 appears 32 times
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: String function: 00007FF8E75D38B0 appears 156 times
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: String function: 00007FF8E75C81F0 appears 33 times
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: String function: 00007FF8E75D3740 appears 217 times
Source: MSIBD70.tmp.0.drStatic PE information: Resource name: PUBLICKEY type: b.out overlay separate pure segmented executable V2.3 186 286 286 386 Large Text Large Data Huge Objects Enabled
Source: javasign_test.exe.16.drStatic PE information: Resource name: ZIP type: Zip archive data (empty)
Source: bfh.23.drStatic PE information: Number of sections : 12 > 10
Source: uikfehek.16.drStatic PE information: Number of sections : 12 > 10
Source: ISRT.dll.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ISRT.dll.3.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: classification engineClassification label: mal88.spyw.evad.mine.winMSI@87/265@19/21
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeCode function: 4_2_00007FF60D633140 CoCreateInstance,4_2_00007FF60D633140
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeCode function: 4_2_00007FF60D635870 LoadLibraryExW,LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,4_2_00007FF60D635870
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeFile created: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5Jump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5104:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8124:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7856:120:WilError_03
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIBA81.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSystem information queried: HandleInformation
Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\IsConfig.iniJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: javasign_test.exe, 00000019.00000003.1950799355.00000000008C6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: GUP.exeString found in binary or memory: Usage : gup --help gup -options gup [-verbose] [-vVERSION_VALUE] [-pCUSTOM_PARAM] gup -clean FOLDER_TO_ACTION gup -unzipTo [-clea
Source: GUP.exeString found in binary or memory: Usage : gup --help gup -options gup [-verbose] [-vVERSION_VALUE] [-pCUSTOM_PARAM] gup -clean FOLDER_TO_ACTION gup -unzipTo [-clea
Source: GUP.exeString found in binary or memory: --help
Source: GUP.exeString found in binary or memory: --help
Source: GUP.exeString found in binary or memory: Usage :gup --helpgup -optionsgup [-verbose] [-vVERSION_VALUE] [-pCUSTOM_PARAM]gup -clean FOLDER_TO_ACTIONgup -unzipTo [-clea
Source: GUP.exeString found in binary or memory: Usage :gup --helpgup -optionsgup [-verbose] [-vVERSION_VALUE] [-pCUSTOM_PARAM]gup -clean FOLDER_TO_ACTIONgup -unzipTo [-clea
Source: GUP.exeString found in binary or memory: Usage : gup --help gup -options gup [-verbose] [-vVERSION_VALUE] [-pCUSTOM_PARAM] gup -clean FOLDER_TO_ACTION gup -unzipTo [-clea
Source: GUP.exeString found in binary or memory: Usage : gup --help gup -options gup [-verbose] [-vVERSION_VALUE] [-pCUSTOM_PARAM] gup -clean FOLDER_TO_ACTION gup -unzipTo [-clea
Source: GUP.exeString found in binary or memory: --help
Source: GUP.exeString found in binary or memory: --help
Source: GUP.exeString found in binary or memory: Usage :gup --helpgup -optionsgup [-verbose] [-vVERSION_VALUE] [-pCUSTOM_PARAM]gup -clean FOLDER_TO_ACTIONgup -unzipTo [-clea
Source: GUP.exeString found in binary or memory: Usage :gup --helpgup -optionsgup [-verbose] [-vVERSION_VALUE] [-pCUSTOM_PARAM]gup -clean FOLDER_TO_ACTIONgup -unzipTo [-clea
Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\82.msi"
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 7099DE4C06DCDCA8213456323FF799A9 C
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{19DA863E-B60E-44E3-9DE7-C50CC5323CF1}
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B9E5B376-8165-4785-BDBB-065141BB3F13}
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{59247D03-E983-4D17-A383-BFA23594A11E}
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D3E21DF4-856E-4EF5-B3CC-948D8562DF5B}
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9C1ACE04-B793-4578-8AA9-BF2942701188}
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{34B60CF7-FDDB-46AC-B9FC-B9E4CB726719}
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{22BCA8AC-0CFF-4E0F-813E-04A85DA8072F}
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FABFADDC-410A-4184-ACD0-480D29FAFAD4}
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8F6DE6B4-1A54-456A-935D-61EC3C05B24E}
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0DBB6F03-FD72-450E-9BF6-302E16702B72}
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exe C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exe
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeProcess created: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exe C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exe
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exe "C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exe"
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\javasign_test.exe C:\Users\user\AppData\Local\Temp\javasign_test.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\javasign_test.exe C:\Users\user\AppData\Local\Temp\javasign_test.exe
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory="Default"
Source: unknownProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2232 --field-trial-handle=2132,i,3809154015794764624,15846486505537806196,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1888 --field-trial-handle=2072,i,6599914520268651248,6988273633780560088,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=7084 --field-trial-handle=2072,i,6599914520268651248,6988273633780560088,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7144 --field-trial-handle=2072,i,6599914520268651248,6988273633780560088,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=7188 --field-trial-handle=2072,i,6599914520268651248,6988273633780560088,262144 /prefetch:8
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 7099DE4C06DCDCA8213456323FF799A9 CJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{19DA863E-B60E-44E3-9DE7-C50CC5323CF1}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B9E5B376-8165-4785-BDBB-065141BB3F13}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{59247D03-E983-4D17-A383-BFA23594A11E}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D3E21DF4-856E-4EF5-B3CC-948D8562DF5B}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9C1ACE04-B793-4578-8AA9-BF2942701188}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{34B60CF7-FDDB-46AC-B9FC-B9E4CB726719}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{22BCA8AC-0CFF-4E0F-813E-04A85DA8072F}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FABFADDC-410A-4184-ACD0-480D29FAFAD4}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8F6DE6B4-1A54-456A-935D-61EC3C05B24E}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0DBB6F03-FD72-450E-9BF6-302E16702B72}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exe C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeProcess created: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exe C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\javasign_test.exe C:\Users\user\AppData\Local\Temp\javasign_test.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\javasign_test.exe C:\Users\user\AppData\Local\Temp\javasign_test.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory="Default"Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2232 --field-trial-handle=2132,i,3809154015794764624,15846486505537806196,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1888 --field-trial-handle=2072,i,6599914520268651248,6988273633780560088,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=7084 --field-trial-handle=2072,i,6599914520268651248,6988273633780560088,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7144 --field-trial-handle=2072,i,6599914520268651248,6988273633780560088,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=7188 --field-trial-handle=2072,i,6599914520268651248,6988273633780560088,262144 /prefetch:8
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msihnd.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: riched32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: riched20.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: usp10.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msls31.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sxs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeSection loaded: sxs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeSection loaded: sxs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeSection loaded: sxs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeSection loaded: sxs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeSection loaded: sxs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeSection loaded: sxs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeSection loaded: sxs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeSection loaded: sxs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeSection loaded: sxs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeSection loaded: libcurl.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeSection loaded: pla.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeSection loaded: pdh.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeSection loaded: tdh.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeSection loaded: wevtapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeSection loaded: shdocvw.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeSection loaded: libcurl.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeSection loaded: pla.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeSection loaded: pdh.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeSection loaded: tdh.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeSection loaded: wevtapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeSection loaded: shdocvw.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winbrand.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: bitsproxy.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeSection loaded: libcurl.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeSection loaded: pla.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeSection loaded: pdh.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeSection loaded: tdh.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeSection loaded: wevtapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeSection loaded: shdocvw.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winbrand.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: shdocvw.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: webio.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: shdocvw.dll
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: mpclient.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: secur32.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sspicli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: version.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: msasn1.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: userenv.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: gpapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wbemcomn.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: amsi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: profapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wscapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: urlmon.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: iertutil.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: srvcli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: netutils.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: slc.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
Source: lixctkey.16.drLNK file: ..\..\Roaming\Writerfirefox_SD_v5\GUP.exe
Source: C:\Windows\SysWOW64\msiexec.exeFile written: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\IsConfig.iniJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Windows\SysWOW64\RICHED32.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
Source: 82.msiStatic file information: File size 9527756 > 1048576
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2* source: javasign_test.exe, 00000019.00000003.1925523476.000000000088C000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1927496083.000000000088C000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1928394464.000000000088C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\ source: javasign_test.exe, 00000019.00000003.1927496083.0000000000877000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1925523476.0000000000877000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\Local State source: javasign_test.exe, 00000019.00000003.1928532432.000000000088C000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1925523476.000000000088C000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1927496083.000000000088C000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1928394464.000000000088C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB90r source: javasign_test.exe, 00000019.00000003.1927496083.0000000000877000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1925523476.0000000000877000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\profiles.ini source: javasign_test.exe, 00000019.00000003.2124898533.0000000000853000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\Local Stateb source: javasign_test.exe, 00000019.00000003.1928532432.000000000088C000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1925523476.000000000088C000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1927496083.000000000088C000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1928394464.000000000088C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\profiles.ini source: javasign_test.exe, 00000019.00000003.2124898533.0000000000853000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\Local Statery source: javasign_test.exe, 00000019.00000003.1928532432.000000000088C000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1925523476.000000000088C000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1927496083.000000000088C000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1928394464.000000000088C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ZC:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\5n1h2txyewy\SystemAppData\ source: javasign_test.exe, 00000019.00000003.1927496083.0000000000877000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1925523476.0000000000877000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: cmd.exe, 00000010.00000002.1774215509.000000000497F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1776267297.0000000005240000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.1951338129.0000000004926000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.1952703933.00000000051F0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: GUP.exe, 0000000E.00000002.1413945004.0000017409AAD000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000E.00000002.1414149565.0000017409EA0000.00000004.00000800.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1473505880.0000024EC6650000.00000004.00000800.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1473286374.0000024EC6254000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1473818770.0000024EC685D000.00000004.00000001.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1740045949.000001DFAF5E5000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1740867781.000001DFAFBE7000.00000004.00000001.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1740272295.000001DFAF9E0000.00000004.00000800.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2244678126.0000000005A49000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2240699533.0000000003E43000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2242372739.0000000004A43000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2246183204.0000000005E41000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2242891477.0000000004E46000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2242064781.000000000484F000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2243966630.000000000564F000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2250720438.000000000644E000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2251482385.0000000006A48000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2243376961.000000000524B000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2239415883.0000000002CA0000.00000004.00001000.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2252298555.000000000704A000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2238643122.000000000233D000.00000004.00000020.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2251212144.000000000684B000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2250954957.0000000006649000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2243662590.000000000544C000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2252078722.0000000006E48000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2241251920.0000000004241000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: cmd.exe, 00000010.00000002.1774215509.000000000497F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1776267297.0000000005240000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.1951338129.0000000004926000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.1952703933.00000000051F0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: d.pdb\01AB9056EA9380F71644C4339E3FA1AC2\Local State source: javasign_test.exe, 00000019.00000003.1927496083.0000000000877000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1925523476.0000000000877000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: WC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: javasign_test.exe, 00000019.00000003.1927496083.0000000000877000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1925523476.0000000000877000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: bols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\Local StatebeU source: javasign_test.exe, 00000019.00000003.1927496083.0000000000877000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1925523476.0000000000877000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: C:\CodeBases\isdev\Src\Runtime\InstallScript\ISBEW64\x64\Release\ISBEW64.pdb source: ISBEW64.exe, 00000004.00000000.1383839623.00007FF60D647000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000004.00000002.1385736138.00007FF60D647000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000005.00000000.1384830551.00007FF60D647000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000005.00000002.1386511839.00007FF60D647000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000006.00000002.1387221455.00007FF60D647000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000006.00000000.1385966946.00007FF60D647000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000007.00000002.1388092835.00007FF60D647000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000007.00000000.1386644239.00007FF60D647000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000008.00000002.1389691219.00007FF60D647000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000008.00000000.1387337150.00007FF60D647000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000009.00000002.1412285484.00007FF60D647000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 00000009.00000000.1389423570.00007FF60D647000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000A.00000000.1390438698.00007FF60D647000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000A.00000002.1392509858.00007FF60D647000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000B.00000002.1393322905.00007FF60D647000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000B.00000000.1391511961.00007FF60D647000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000C.00000000.1392631699.00007FF60D647000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000C.00000002.1394495944.00007FF60D647000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000D.00000000.1393419305.00007FF60D647000.00000002.00000001.01000000.00000003.sdmp, ISBEW64.exe, 0000000D.00000002.1396449923.00007FF60D647000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2^ source: javasign_test.exe, 00000019.00000003.1928532432.000000000088C000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1925523476.000000000088C000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1927496083.000000000088C000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1928394464.000000000088C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: bols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\Local State source: javasign_test.exe, 00000019.00000003.1927496083.0000000000877000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1925523476.0000000000877000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: VC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\cal\Temp\Symbols source: javasign_test.exe, 00000019.00000003.1927496083.0000000000877000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1925523476.0000000000877000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: javasign_test.exe, 00000019.00000003.1927496083.0000000000877000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1925523476.0000000000877000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2c source: javasign_test.exe, 00000019.00000003.1927496083.0000000000894000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1931483393.0000000000894000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1928951581.0000000000894000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1928819682.0000000000894000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1929310350.0000000000894000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1930401163.0000000000894000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1928532432.0000000000894000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1928394464.0000000000894000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb source: GUP.exe, 0000000E.00000002.1413945004.0000017409AAD000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000E.00000002.1414149565.0000017409EA0000.00000004.00000800.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1473505880.0000024EC6650000.00000004.00000800.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1473286374.0000024EC6254000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1473818770.0000024EC685D000.00000004.00000001.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1740045949.000001DFAF5E5000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1740867781.000001DFAFBE7000.00000004.00000001.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1740272295.000001DFAF9E0000.00000004.00000800.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2244678126.0000000005A49000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2240699533.0000000003E43000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2242372739.0000000004A43000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2246183204.0000000005E41000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2242891477.0000000004E46000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2242064781.000000000484F000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2243966630.000000000564F000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2250720438.000000000644E000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2251482385.0000000006A48000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2243376961.000000000524B000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2239415883.0000000002CA0000.00000004.00001000.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2252298555.000000000704A000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2238643122.000000000233D000.00000004.00000020.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2251212144.000000000684B000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2250954957.0000000006649000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2243662590.000000000544C000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2252078722.0000000006E48000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2241251920.0000000004241000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\Local State source: javasign_test.exe, 00000019.00000003.1928532432.000000000088C000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1925523476.000000000088C000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1927496083.000000000088C000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1928394464.000000000088C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: javasign_test.exe, 00000019.00000003.1927496083.0000000000894000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1931483393.0000000000894000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1927496083.0000000000877000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1925523476.0000000000877000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1928951581.0000000000894000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1928819682.0000000000894000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1929310350.0000000000894000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1930401163.0000000000894000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1928532432.0000000000894000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1928394464.0000000000894000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831M source: javasign_test.exe, 00000019.00000003.1927496083.0000000000894000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1931483393.0000000000894000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1928951581.0000000000894000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1928819682.0000000000894000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1929310350.0000000000894000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1930401163.0000000000894000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1928532432.0000000000894000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1928394464.0000000000894000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: [C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: javasign_test.exe, 00000019.00000003.1927496083.0000000000877000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1925523476.0000000000877000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: [\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: javasign_test.exe, 00000019.00000003.1927496083.0000000000877000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1925523476.0000000000877000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: javasign_test.exe, 00000019.00000003.1928532432.000000000088C000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1925523476.000000000088C000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1927496083.000000000088C000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1928394464.000000000088C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: fC:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB90r source: javasign_test.exe, 00000019.00000003.1927496083.0000000000877000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1925523476.0000000000877000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\ source: javasign_test.exe, 00000019.00000003.1927496083.0000000000877000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1925523476.0000000000877000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: javasign_test.exe, 00000019.00000003.1927496083.0000000000894000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1927496083.0000000000877000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1925523476.0000000000877000.00000004.00000001.00020000.00000000.sdmp
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeCode function: 4_2_00007FF60D636B00 LoadLibraryW,GetProcAddress,FreeLibrary,FreeLibrary,4_2_00007FF60D636B00
Source: initial sampleStatic PE information: section where entry point is pointing to: .rsrc
Source: libcurl.dll.14.drStatic PE information: real checksum: 0xae3f1 should be: 0xa6457
Source: MSIBD70.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x286a06
Source: bfh.23.drStatic PE information: real checksum: 0x2796e1 should be: 0x274b39
Source: libcurl.dll.3.drStatic PE information: real checksum: 0xae3f1 should be: 0xa6457
Source: _isres_0x0409.dll.3.drStatic PE information: real checksum: 0x0 should be: 0x1c5ec2
Source: uikfehek.16.drStatic PE information: real checksum: 0x2796e1 should be: 0x274b39
Source: MSIBD70.tmp.0.drStatic PE information: section name: .orpc
Source: libcurl.dll.3.drStatic PE information: section name: _RDATA
Source: libcurl.dll.14.drStatic PE information: section name: _RDATA
Source: javasign_test.exe.16.drStatic PE information: section name: Shared
Source: uikfehek.16.drStatic PE information: section name: .xdata
Source: uikfehek.16.drStatic PE information: section name: ffevn
Source: bfh.23.drStatic PE information: section name: .xdata
Source: bfh.23.drStatic PE information: section name: ffevn
Source: ISRT.dll.3.drStatic PE information: section name: .text entropy: 7.9838191086194135
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\bfhJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\uikfehekJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIBD70.tmpJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\javasign_test.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIBA81.tmpJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISRT.dllJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\libcurl.dllJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\_isres_0x0409.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeFile created: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\libcurl.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeFile created: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\uikfehekJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\bfhJump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Found hidden mapped module (file has been removed from disk)
Source: C:\Windows\SysWOW64\cmd.exeModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\UIKFEHEK
Source: C:\Windows\SysWOW64\cmd.exeModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\BFH
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeCode function: 4_2_00007FF60D637180 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,4_2_00007FF60D637180
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Switches to a custom stack to bypass stack traces
Source: C:\Windows\SysWOW64\cmd.exeAPI/Special instruction interceptor: Address: 6CCC3B54
Source: C:\Windows\SysWOW64\cmd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\bfhJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\uikfehekJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIBD70.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIBA81.tmpJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISRT.dllJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\_isres_0x0409.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_4-8497
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_4-8970
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeAPI coverage: 1.4 %
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeAPI coverage: 1.4 %
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exe TID: 7808Thread sleep time: -180000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exe TID: 2188Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exe TID: 2188Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
Source: javasign_test.exe, 00000019.00000003.1951419746.0000000007FAB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696497155j
Source: javasign_test.exe, 00000019.00000003.1951419746.0000000007FAB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696497155
Source: javasign_test.exe, 00000019.00000003.1951419746.0000000007FAB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: javasign_test.exe, 00000019.00000002.2238875875.0000000002781000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: http://www.vmware.com/0
Source: javasign_test.exe, 00000019.00000003.1951419746.0000000007FAB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: javasign_test.exe, 00000019.00000002.2238875875.0000000002781000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.1!0
Source: javasign_test.exe, 00000019.00000002.2238875875.0000000002781000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: http://www.vmware.com/0/
Source: javasign_test.exe, 00000019.00000003.2137969834.00000000004D5000.00000004.00000020.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2177995459.00000000004D5000.00000004.00000020.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1879586902.00000000004D5000.00000004.00000020.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1897087534.00000000004D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: javasign_test.exe, 00000019.00000002.2238875875.0000000002781000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.1
Source: javasign_test.exe, 00000019.00000002.2238875875.0000000002781000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.0
Source: javasign_test.exe, 00000019.00000003.1951419746.0000000007FAB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: javasign_test.exe, 00000019.00000003.1951419746.0000000007FAB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
Source: javasign_test.exe, 00000019.00000003.1951419746.0000000007FAB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696497155o
Source: javasign_test.exe, 00000019.00000003.1951419746.0000000007FAB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: javasign_test.exe, 00000019.00000003.1951419746.0000000007FAB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: javasign_test.exe, 00000019.00000003.1951419746.0000000007FAB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696497155x
Source: javasign_test.exe, 00000019.00000003.1951419746.0000000007FAB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696497155
Source: javasign_test.exe, 00000019.00000003.1951419746.0000000007FAB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: javasign_test.exe, 00000019.00000003.1951419746.0000000007FAB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: javasign_test.exe, 00000019.00000003.1951419746.0000000007FAB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: javasign_test.exe, 00000019.00000003.1951419746.0000000007FAB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: javasign_test.exe, 00000019.00000003.1951419746.0000000007FAB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: javasign_test.exe, 00000019.00000003.1951419746.0000000007FAB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: javasign_test.exe, 00000019.00000002.2238875875.0000000002781000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: noreply@vmware.com0
Source: javasign_test.exe, 00000019.00000003.1951419746.0000000007FAB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696497155
Source: javasign_test.exe, 00000019.00000003.1951419746.0000000007FAB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696497155
Source: javasign_test.exe, 00000019.00000003.1951419746.0000000007FAB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: javasign_test.exe, 00000019.00000003.1951419746.0000000007FAB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: javasign_test.exe, 00000019.00000002.2236776539.000000000045C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWPCI%SystemRoot%\system32\mswsock.dll;;
Source: javasign_test.exe, 00000019.00000003.1951419746.0000000007FAB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: javasign_test.exe, 00000019.00000003.1951419746.0000000007FAB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: javasign_test.exe, 00000019.00000003.1951419746.0000000007FAB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696497155f
Source: javasign_test.exe, 00000019.00000003.1951419746.0000000007FAB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: javasign_test.exe, 00000019.00000003.1951419746.0000000007FAB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: javasign_test.exe, 00000019.00000003.1951419746.0000000007FAB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696497155t
Source: javasign_test.exe, 00000019.00000003.1951419746.0000000007FAB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696497155s
Source: javasign_test.exe, 00000019.00000003.1951419746.0000000007FAB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: javasign_test.exe, 00000019.00000003.1951419746.0000000007FAB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: javasign_test.exe, 00000019.00000003.1951419746.0000000007FAB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696497155x
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeAPI call chain: ExitProcess graph end nodegraph_4-8971
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeCode function: 4_2_00007FF60D63AB1C IsDebuggerPresent,__crtUnhandledException,GetCurrentProcess,TerminateProcess,4_2_00007FF60D63AB1C
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeCode function: 4_2_00007FF60D643008 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,4_2_00007FF60D643008
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeCode function: 4_2_00007FF60D636B00 LoadLibraryW,GetProcAddress,FreeLibrary,FreeLibrary,4_2_00007FF60D636B00
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeCode function: 4_2_00007FF60D63CAE4 GetProcessHeap,4_2_00007FF60D63CAE4
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeCode function: 4_2_00007FF60D63DCD4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00007FF60D63DCD4
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeCode function: 4_2_00007FF60D6407D8 SetUnhandledExceptionFilter,4_2_00007FF60D6407D8
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF60CD59134 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_00007FF60CD59134
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF60CD894D4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_00007FF60CD894D4
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF8E7828670 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_00007FF8E7828670
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF8E783C2D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_00007FF8E783C2D8
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF7F5E99134 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_2_00007FF7F5E99134
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF7F5EC94D4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_00007FF7F5EC94D4
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF8E75F8670 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_2_00007FF8E75F8670
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF8E760C2D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_00007FF8E760C2D8

HIPS / PFW / Operating System Protection Evasion

barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtReadVirtualMemory: Direct from: 0x7FF747389689Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtAllocateVirtualMemory: Direct from: 0x7FF74724355DJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtAllocateVirtualMemory: Direct from: 0x7FF908164B5EJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtQueryValueKey: Direct from: 0x14011D93EJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtAllocateVirtualMemory: Direct from: 0x7FF7472D6FE7Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtAllocateVirtualMemory: Direct from: 0x7FF74723F3F4Jump to behavior
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeNtAllocateVirtualMemory: Direct from: 0x110Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtReadVirtualMemory: Direct from: 0x7FF74738996DJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtClose: Indirect: 0x14012000F
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtCreateThreadEx: Direct from: 0x7FF7472346A5Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtAllocateVirtualMemory: Direct from: 0x7FF747237B7EJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtReadFile: Direct from: 0x7FF7472D5613Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtReadVirtualMemory: Direct from: 0x7FF74738FE68Jump to behavior
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeNtCreateFile: Direct from: 0x1DFA6C072B9Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtQueryInformationProcess: Direct from: 0x7FF747346268Jump to behavior
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeNtAllocateVirtualMemory: Direct from: 0x1Jump to behavior
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeNtClose: Direct from: 0x2
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtWriteVirtualMemory: Direct from: 0x7FF7473AD270Jump to behavior
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeNtProtectVirtualMemory: Direct from: 0x3Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtAllocateVirtualMemory: Direct from: 0x14011D808Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtTerminateProcess: Direct from: 0x7FF7472D9FDBJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtAllocateVirtualMemory: Direct from: 0x7FF74731D990Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtDelayExecution: Direct from: 0x7FF7473B4BA7Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtSetInformationProcess: Direct from: 0x7FF7472CA82CJump to behavior
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeNtQuerySystemInformation: Direct from: 0x24E00000000Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtQueryInformationProcess: Direct from: 0x7FF747387F3DJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtCreateFile: Direct from: 0x7FF747432D9BJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtQueryInformationProcess: Direct from: 0x7FF747388E77Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtDelayExecution: Direct from: 0x7FF7473B5DAAJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtCreateFile: Direct from: 0x7FF7472CE503Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtMapViewOfSection: Direct from: 0x7FF7472C11DAJump to behavior
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeNtAllocateVirtualMemory: Direct from: 0x7FF9A0A76ACBJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtSetInformationProcess: Direct from: 0x7FF747388F18Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtClose: Direct from: 0x7FF7472CED60
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtSetInformationProcess: Direct from: 0x7FF7473E9529Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtAllocateVirtualMemory: Direct from: 0x7FF7472342F2Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtOpenKeyEx: Direct from: 0x7FF7472F0B4FJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeNtQuerySystemInformation: Direct from: 0x18256FDFF0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtDeviceIoControlFile: Direct from: 0x7FF74731FB63Jump to behavior
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeNtClose: Direct from: 0x1DFA6B5EA00
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeNtQuerySystemInformation: Direct from: 0x1DF00000000Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtClose: Direct from: 0x7FF747432DB2
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtAllocateVirtualMemory: Direct from: 0x7FF747390360Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtAllocateVirtualMemory: Direct from: 0x7FF747433FC8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtQueryInformationProcess: Direct from: 0x7FF747438A25Jump to behavior
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeNtQuerySystemInformation: Direct from: 0xFFF5BE2E8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtClose: Direct from: 0x7FF74743522F
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtReadVirtualMemory: Direct from: 0x7FF74738A24EJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtDelayExecution: Direct from: 0x7FF7473BF980Jump to behavior
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeNtClose: Direct from: 0x24EBD6D51C0
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtSetInformationProcess: Direct from: 0x7FF7472DADDEJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeNtAllocateVirtualMemory: Direct from: 0x17400E00000Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtClose: Direct from: 0x14011D864
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtAllocateVirtualMemory: Direct from: 0x7FF7472D55B6Jump to behavior
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeNtAllocateVirtualMemory: Direct from: 0x7FF8E7539635Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtAllocateVirtualMemory: Direct from: 0x7FF747245651Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtAllocateVirtualMemory: Direct from: 0x7FF74723B112Jump to behavior
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeNtProtectVirtualMemory: Direct from: 0x7FF8E76694F5Jump to behavior
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeNtQuerySystemInformation: Direct from: 0x7FF840CB21D3Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtSetInformationProcess: Direct from: 0x7FF7472CA49DJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtClose: Direct from: 0x7FF74743523D
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtQueryValueKey: Direct from: 0x7FF7472C7233Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtReadVirtualMemory: Direct from: 0x7FF747430A01Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtDelayExecution: Direct from: 0x7FF7473B0B1BJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtMapViewOfSection: Direct from: 0x7FF747433B9AJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtSetInformationThread: Direct from: 0x7FF74743EAB2Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtQueryInformationProcess: Direct from: 0x7FF7472DB303Jump to behavior
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeNtAllocateVirtualMemory: Direct from: 0x24EBD660000Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtQueryInformationProcess: Direct from: 0x7FF7472CF4BDJump to behavior
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeNtCreateNamedPipeFile: Direct from: 0x62Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtAllocateVirtualMemory: Direct from: 0x7FF74731A4CEJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtCreateThreadEx: Direct from: 0x7FF74723451CJump to behavior
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeNtAllocateVirtualMemory: Direct from: 0x24EBD6D3F00Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtDeviceIoControlFile: Direct from: 0x7FF7473506D1Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtQueryInformationProcess: Direct from: 0x7FF7472DAEDEJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtCreateFile: Direct from: 0x7FF747430C19Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtSetInformationProcess: Direct from: 0x7FF7472DBC52Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtAllocateVirtualMemory: Direct from: 0x7FF9081426A1Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtReadVirtualMemory: Direct from: 0x7FF74739982BJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtSetInformationProcess: Direct from: 0x7FF747389229Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtAllocateVirtualMemory: Direct from: 0x7FF74723F13CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtCreateThreadEx: Direct from: 0x7FF7473E7890Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtReadFile: Direct from: 0x14011D832Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtEnumerateValueKey: Direct from: 0x7FF747379D0FJump to behavior
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeNtAllocateVirtualMemory: Direct from: 0x7FF8E7669635Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtAllocateVirtualMemory: Direct from: 0x7FF7472E947BJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtQueryInformationProcess: Direct from: 0x7FF7473EB41DJump to behavior
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeNtProtectVirtualMemory: Direct from: 0x7FF8E75394F5Jump to behavior
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeNtQuerySystemInformation: Direct from: 0x592CB6DBC8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtMapViewOfSection: Direct from: 0x7FF7472C10FFJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtReadVirtualMemory: Direct from: 0x7FF74738FCF1Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtAllocateVirtualMemory: Direct from: 0x7FF74731C900Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtCreateFile: Direct from: 0x14011D7A4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtClose: Direct from: 0x7FF74743521B
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeNtCreateFile: Direct from: 0x24EBD8812B9Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtAllocateVirtualMemory: Direct from: 0x7FF7472EA066Jump to behavior
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeNtProtectVirtualMemory: Direct from: 0x6C006CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtAllocateVirtualMemory: Direct from: 0x140120A3CJump to behavior
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeNtAllocateVirtualMemory: Direct from: 0x1DFA6B561B0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtReadVirtualMemory: Direct from: 0x7FF74738FB2DJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeNtAllocateVirtualMemory: Direct from: 0x7FF7472EED20Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read writeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: NULL target: C:\Users\user\AppData\Local\Temp\javasign_test.exe protection: read writeJump to behavior
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read writeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: NULL target: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exe protection: read writeJump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Users\user\AppData\Local\Temp\javasign_test.exe base: 14011BC08Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Users\user\AppData\Local\Temp\javasign_test.exe base: 31C010Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Users\user\AppData\Local\Temp\javasign_test.exe base: 14011BC08Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Users\user\AppData\Local\Temp\javasign_test.exe base: 3A8010Jump to behavior
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\javasign_test.exe C:\Users\user\AppData\Local\Temp\javasign_test.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\javasign_test.exe C:\Users\user\AppData\Local\Temp\javasign_test.exeJump to behavior
Source: GUP.exe, 0000000E.00000002.1413120900.0000017407DE5000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1472822488.0000024EC4593000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1774594758.0000000004D23000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: )[%d] Shell_TrayWndTrayNotifyWnd
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: __crtGetLocaleInfoEx,14_2_00007FF60CD7D698
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,14_2_00007FF60CD9F670
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: EnumSystemLocalesW,14_2_00007FF60CD9EF88
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: try_get_function,GetLocaleInfoW,14_2_00007FF60CD9973C
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: EnumSystemLocalesW,14_2_00007FF60CD990B4
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: EnumSystemLocalesW,14_2_00007FF60CD9F058
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,14_2_00007FF60CD9F494
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: __crtDownlevelLocaleNameToLCID,GetLocaleInfoW,14_2_00007FF60CD7D43C
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,wcschr,wcschr,GetLocaleInfoW,14_2_00007FF60CD9EC3C
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: __crtGetLocaleInfoEx,15_2_00007FF7F5EBD698
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,15_2_00007FF7F5EDF670
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: EnumSystemLocalesW,15_2_00007FF7F5ED90B4
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: EnumSystemLocalesW,15_2_00007FF7F5EDF058
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: EnumSystemLocalesW,15_2_00007FF7F5EDEF88
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: try_get_function,GetLocaleInfoW,15_2_00007FF7F5ED973C
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,15_2_00007FF7F5EDF494
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,wcschr,wcschr,GetLocaleInfoW,15_2_00007FF7F5EDEC3C
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: __crtDownlevelLocaleNameToLCID,GetLocaleInfoW,15_2_00007FF7F5EBD43C
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeCode function: 4_2_00007FF60D641128 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,4_2_00007FF60D641128
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF60CD9A2BC _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,14_2_00007FF60CD9A2BC
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

barindex
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeKey opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-QtJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeKey opened: HKEY_CURRENT_USER\Software\monero-project\monero-coreJump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\SessionsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2 OverrideJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2 Override
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\ca4gppea.default
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\3nxxd8pi.default-release
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeDirectory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\javasign_test.exeDirectory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF8E77E2FA0 getsockname,WSAGetLastError,WSAGetLastError,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,getsockname,listen,WSAGetLastError,htons,14_2_00007FF8E77E2FA0
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF8E780A350 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,getsockname,getpeername,closesocket,closesocket,closesocket,closesocket,14_2_00007FF8E780A350
Source: C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exeCode function: 14_2_00007FF8E77D5270 htons,htons,htons,bind,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,14_2_00007FF8E77D5270
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF8E75B2FA0 getsockname,WSAGetLastError,WSAGetLastError,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,getsockname,listen,WSAGetLastError,htons,15_2_00007FF8E75B2FA0
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF8E75DA350 socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,getsockname,getpeername,closesocket,closesocket,closesocket,closesocket,15_2_00007FF8E75DA350
Source: C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exeCode function: 15_2_00007FF8E75A5270 htons,htons,htons,bind,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,15_2_00007FF8E75A5270

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Replication Through Removable Media		1
Windows Management Instrumentation		11
DLL Side-Loading		1
Abuse Elevation Control Mechanism		1
Deobfuscate/Decode Files or Information		1
OS Credential Dumping		2
System Time Discovery		Remote Services12
Archive Collected Data		2
Ingress Tool Transfer		Exfiltration Over Other Network Medium1
Data Encrypted for Impact
CredentialsDomainsDefault Accounts2
Native API		Boot or Logon Initialization Scripts11
DLL Side-Loading		1
Abuse Elevation Control Mechanism		1
Credentials in Registry		11
Peripheral Device Discovery		Remote Desktop Protocol11
Data from Local System		21
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts2
Command and Scripting Interpreter		Logon Script (Windows)212
Process Injection		2
Obfuscated Files or Information		Security Account Manager13
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
Software Packing		NTDS136
System Information Discovery		Distributed Component Object ModelInput Capture14
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
DLL Side-Loading		LSA Secrets141
Security Software Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
Masquerading		Cached Domain Credentials1
Virtualization/Sandbox Evasion		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Virtualization/Sandbox Evasion		DCSync3
Process Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job212
Process Injection		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1603202 Sample: 82.msi Startdate: 30/01/2025 Architecture: WINDOWS Score: 88 94 fg.microsoft.map.fastly.net 2->94 96 bapakopla.live 2->96 112 PE file has a writeable .text section 2->112 114 Sigma detected: Suspicious GUP Usage 2->114 116 Joe Sandbox ML detected suspicious sample 2->116 13 msiexec.exe 2->13         started        15 GUP.exe 1 2->15         started        18 msedge.exe 2->18         started        21 msiexec.exe 7 2->21         started        signatures3 process4 dnsIp5 24 msiexec.exe 54 13->24         started        140 Maps a DLL or memory area into another process 15->140 142 Found direct / indirect Syscall (likely to bypass EDR) 15->142 27 cmd.exe 2 15->27         started        98 192.168.2.6 unknown unknown 18->98 100 192.168.2.9, 138, 443, 49160 unknown unknown 18->100 102 239.255.255.250 unknown Reserved 18->102 30 msedge.exe 18->30         started        33 msedge.exe 18->33         started        35 msedge.exe 18->35         started        37 msedge.exe 18->37         started        72 C:\Users\user\AppData\Local\...\MSIBD70.tmp, PE32 21->72 dropped 74 C:\Users\user\AppData\Local\...\MSIBA81.tmp, PE32 21->74 dropped file6 signatures7 process8 dnsIp9 80 C:\Users\user\AppData\Local\Temp\...behaviorgraphUP.exe, PE32+ 24->80 dropped 82 C:\Users\user\AppData\Local\...\ISBEW64.exe, PE32+ 24->82 dropped 84 C:\Users\user\AppData\Local\...\libcurl.dll, PE32+ 24->84 dropped 88 2 other files (none is malicious) 24->88 dropped 39 GUP.exe 5 24->39         started        43 MpCmdRun.exe 24->43         started        45 ISBEW64.exe 24->45         started        51 9 other processes 24->51 86 C:\Users\user\AppData\Local\Temp\bfh, PE32+ 27->86 dropped 128 Writes to foreign memory regions 27->128 130 Maps a DLL or memory area into another process 27->130 47 javasign_test.exe 27->47         started        49 conhost.exe 27->49         started        104 c-msn-pme.trafficmanager.net 13.74.129.1, 443, 50002 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 30->104 106 ax-0001.ax-msedge.net 150.171.27.10, 443, 50007 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 30->106 108 27 other IPs or domains 30->108 file10 signatures11 process12 file13 76 C:\Users\user\AppData\Roaming\...behaviorgraphUP.exe, PE32+ 39->76 dropped 78 C:\Users\user\AppData\Roaming\...\libcurl.dll, PE32+ 39->78 dropped 122 Found direct / indirect Syscall (likely to bypass EDR) 39->122 53 GUP.exe 1 39->53         started        56 conhost.exe 43->56         started        124 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 47->124 126 Tries to harvest and steal browser information (history, passwords, etc) 47->126 signatures14 process15 signatures16 118 Maps a DLL or memory area into another process 53->118 120 Found direct / indirect Syscall (likely to bypass EDR) 53->120 58 cmd.exe 5 53->58         started        process17 file18 90 C:\Users\user\AppData\...\javasign_test.exe, PE32+ 58->90 dropped 92 C:\Users\user\AppData\Local\Temp\uikfehek, PE32+ 58->92 dropped 132 Writes to foreign memory regions 58->132 134 Found hidden mapped module (file has been removed from disk) 58->134 136 Maps a DLL or memory area into another process 58->136 138 Switches to a custom stack to bypass stack traces 58->138 62 javasign_test.exe 58->62         started        66 conhost.exe 58->66         started        signatures19 process20 dnsIp21 110 bapakopla.live 104.21.64.1, 443, 49978, 49980 CLOUDFLARENETUS United States 62->110 144 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 62->144 146 Found strings related to Crypto-Mining 62->146 148 Tries to harvest and steal Bitcoin Wallet information 62->148 150 Found direct / indirect Syscall (likely to bypass EDR) 62->150 68 msedge.exe 62->68         started        signatures22 process23 process24 70 msedge.exe 68->70         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\MSIBA81.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIBD70.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\javasign_test.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISBEW64.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\ISRT.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\{5B642672-98B5-4E85-98D9-B1E750D8B749}\_isres_0x0409.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\GUP.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\{8A9DAA3D-7792-4C0B-949B-347972941ADA}\libcurl.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\GUP.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Writerfirefox_SD_v5\libcurl.dll0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://ntp.msn.comsec-fetch-sitesame-sitesec-fetch-modecorssec-fetch-destemptyrefererhttps://ntp.ms0%Avira URL Cloudsafe
https://bapakopla.live:443P0%Avira URL Cloudsafe
https://bapakopla.live/jE80%Avira URL Cloudsafe
https://npp-user-manual.org/docs/upgrading/#new-version-available-but-auto-updater-find-nothing0%Avira URL Cloudsafe
https://bapakopla.live/17415-what-really-happened-channels-123-west.html?hpdws8f=7AbxF2FXIPIxxWQMTEC0%Avira URL Cloudsafe
https://bapakopla.live/17415-what-really-happened-channels-123-west.htmlJ0%Avira URL Cloudsafe
https://msn.comP0%Avira URL Cloudsafe
https://bapakopla.live/Bz0%Avira URL Cloudsafe
https://bapakopla.live/0%Avira URL Cloudsafe
https://bapakopla.live/rE0%Avira URL Cloudsafe
https://bapakopla.live/17415-what-really-happened-channels-123-west.html?hpdws8f=7AbxF2FXIPIxxWQMTECCPsMmPZh03scavf8NeY0rpgRYZAlnWnxqk5KbuG6i0hfMaKOU2mo%2BiB%2BJA5xuEdvv%2BA%3D%3D0%Avira URL Cloudsafe
https://bapakopla.live/17415-what-really-happened-channels-123-west.html0%Avira URL Cloudsafe
https://bapakopla.live:443/17415-what-really-happened-channels-123-west.html?hpdws8f=7AbxF2FXIPIxxWQ0%Avira URL Cloudsafe
https://ntp.msn.comreport-to0%Avira URL Cloudsafe
https://bapakopla.live/sJz0%Avira URL Cloudsafe
https://bapakopla.live/Vz0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
fg.microsoft.map.fastly.net
199.232.210.172
truefalse
    		high
    chrome.cloudflare-dns.com
    		172.64.41.3
    		truefalse
      		high
      a416.dscd.akamai.net
      		2.22.242.11
      		truefalse
        		high
        s-part-0033.t-0009.t-msedge.net
        		13.107.246.61
        		truefalse
          		high
          a-0003.a-msedge.net
          		204.79.197.203
          		truefalse
            		high
            c-msn-pme.trafficmanager.net
            		13.74.129.1
            		truefalse
              		high
              ssl.bingadsedgeextension-prod-europe.azurewebsites.net
              		94.245.104.56
              		truefalse
                		high
                sb.scorecardresearch.com
                		18.244.18.38
                		truefalse
                  		high
                  bapakopla.live
                  		104.21.64.1
                  		truefalse
                    		unknown
                    ax-0001.ax-msedge.net
                    		150.171.27.10
                    		truefalse
                      		high
                      e28578.d.akamaiedge.net
                      		2.23.209.45
                      		truefalse
                        		high
                        bzib.nelreports.net
                        		unknown
                        		unknownfalse
                          		high
                          assets.msn.com
                          		unknown
                          		unknownfalse
                            		high
                            c.msn.com
                            		unknown
                            		unknownfalse
                              		high
                              ntp.msn.com
                              		unknown
                              		unknownfalse
                                		high
                                api.msn.com
                                		unknown
                                		unknownfalse
                                  		high

                                  Contacted URLs

                                  NameMaliciousAntivirus DetectionReputation
                                  https://assets.msn.com/bundles/v1/edgeChromium/latest/vendors.a8bc96a9c4710d87d862.jsfalse
                                    		high
                                    https://browser.events.data.msn.com/OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1738255389928&time-delta-to-apply-millis=use-collector-delta&w=0&anoncknm=app_anon&NoResponseBody=truefalse
                                      		high
                                      https://clients2.googleusercontent.com/crx/blobs/ASuc5ohfQPNzGo5SSihcSk6msC8CUKw5id-p0KCEkBKwK2LS4AjdrDP0wa1qjzCTaTWEfyM52ADmUAdPETYA5vgD87UPEj6gyG11hjsvMLHGmzQgJ9F5D8s8Lo0Lbai5BQYAxlKa5esPJXukyaicyq83JwZ0HIWqzrjN/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_86_1_0.crxfalse
                                        		high
                                        https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startpage=1&PC=U531false
                                          		high
                                          https://assets.msn.com/bundles/v1/edgeChromium/latest/common.eee185b1083ffdf6d054.jsfalse
                                            		high
                                            https://sb.scorecardresearch.com/b?rn=1738255389930&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=3D2B5C354AB86677373249B14BDA678F&cs_fpit=o&cs_fpdm=*null&cs_fpdt=*nullfalse
                                              		high
                                              https://ntp.msn.com/edge/ntp?locale=en-GB&title=New+tab&enableForceCache=truefalse
                                                		high
                                                https://c.msn.com/c.gif?rnd=1738255389930&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=3fdc43b61d0643b49012afccee58125b&activityId=3fdc43b61d0643b49012afccee58125b&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=29C7DDB4AE5D4D598296E67465F85F29&MUID=3D2B5C354AB86677373249B14BDA678Ffalse
                                                  		high
                                                  https://ntp.msn.com/edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=2880&networkTimeoutSeconds=5&bgTaskNetworkTimeoutSeconds=8&ssrBasePageNavAgeMinutes=360&enableEmptySectionRoute=true&enableNavPreload=true&enableFallbackVerticalsFeed=true&noCacheLayoutTemplates=true&cacheSSRBasePageResponse=true&enableStaticAdsRouting=true&enableWidgetsRegion=truefalse
                                                    		high
                                                    https://browser.events.data.msn.com/OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1738255392624&w=0&anoncknm=app_anon&NoResponseBody=truefalse
                                                      		high
                                                      https://assets.msn.com/statics/icons/favicon_newtabpage.pngfalse
                                                        		high
                                                        https://c.msn.com/c.gif?rnd=1738255389930&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=3fdc43b61d0643b49012afccee58125b&activityId=3fdc43b61d0643b49012afccee58125b&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0false
                                                          		high
                                                          https://bapakopla.live/17415-what-really-happened-channels-123-west.html?hpdws8f=7AbxF2FXIPIxxWQMTECCPsMmPZh03scavf8NeY0rpgRYZAlnWnxqk5KbuG6i0hfMaKOU2mo%2BiB%2BJA5xuEdvv%2BA%3D%3Dfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://sb.scorecardresearch.com/b2?rn=1738255389930&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=3D2B5C354AB86677373249B14BDA678F&cs_fpit=o&cs_fpdm=*null&cs_fpdt=*nullfalse
                                                            		high
                                                            https://assets.msn.com/bundles/v1/edgeChromium/latest/microsoft.7fc3109769390e0f7912.jsfalse
                                                              		high
                                                              https://ntp.msn.com/bundles/v1/edgeChromium/latest/SSR-extension.d0b81df0decfa0886dfe.jsfalse
                                                                		high
                                                                https://ntp.msn.com/bundles/v1/edgeChromium/latest/web-worker.8ed343c804e9069b52b4.jsfalse
                                                                  		high
                                                                  https://chrome.cloudflare-dns.com/dns-queryfalse
                                                                    		high
                                                                    https://browser.events.data.msn.com/OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1738255393002&w=0&anoncknm=app_anon&NoResponseBody=truefalse
                                                                      		high
                                                                      https://browser.events.data.msn.com/OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1738255392003&w=0&anoncknm=app_anon&NoResponseBody=truefalse
                                                                        		high
                                                                        https://browser.events.data.msn.com/OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1738255392000&w=0&anoncknm=app_anon&NoResponseBody=truefalse
                                                                          		high

                                                                          URLs from Memory and Binaries

                                                                          NameSourceMaliciousAntivirus DetectionReputation
                                                                          https://duckduckgo.com/chrome_newtabjavasign_test.exe, 00000019.00000003.1929888666.00000000008D9000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1930036035.00000000008D9000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://duckduckgo.com/ac/?q=javasign_test.exe, 00000019.00000003.1929888666.00000000008D9000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1930036035.00000000008D9000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://www.vmware.com/0GUP.exe, 0000000E.00000002.1413120900.0000017407DE5000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1472822488.0000024EC4593000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1774594758.0000000004D23000.00000004.00000800.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1739510907.000001DFAD91F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.1951690362.0000000004CD0000.00000004.00000800.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2238875875.0000000002781000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://www.softwareok.com/?Freeware/Find.Same.Images.OK/Historyjavasign_test.exe, 00000019.00000000.1699052409.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                  		high
                                                                                  https://msn.comjavasign_test.exe, 00000019.00000003.2127525933.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2093032418.0000000007FB0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://www.softwareok.com/?Freeware/Find.Same.Images.OKjavasign_test.exe, 00000019.00000000.1699052409.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                      		high
                                                                                      https://bapakopla.live:443Pjavasign_test.exe, 00000019.00000003.2177995459.00000000004D5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://deff.nelreports.net/api/report?cat=msnjavasign_test.exe, 00000019.00000003.2093032418.0000000007F9F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://bapakopla.live/jE8javasign_test.exe, 00000019.00000002.2236776539.0000000000515000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://ntp.msn.comsec-fetch-sitesame-sitesec-fetch-modecorssec-fetch-destemptyrefererhttps://ntp.msjavasign_test.exe, 00000019.00000003.2118511502.0000000007F97000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://curl.se/docs/hsts.htmlGUP.exe, GUP.exe, 0000000F.00000002.1474955126.00007FF8E761B000.00000002.00000001.01000000.00000008.sdmp, GUP.exe, 00000016.00000002.1742189864.00007FF8E771B000.00000002.00000001.01000000.00000008.sdmpfalse
                                                                                          		high
                                                                                          https://curl.se/docs/alt-svc.html#GUP.exefalse
                                                                                            		high
                                                                                            https://curl.se/GUP.exefalse
                                                                                              		high
                                                                                              https://bapakopla.live/javasign_test.exe, 00000019.00000003.2177995459.0000000000515000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://bapakopla.live/17415-what-really-happened-channels-123-west.htmlJjavasign_test.exe, 00000019.00000002.2237602703.000000000084E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://curl.se/docs/hsts.html#GUP.exefalse
                                                                                                		high
                                                                                                http://www.softwareok.de/?seite=faq-Find.Same.Images.OK&faq=0javasign_test.exe, 00000019.00000000.1699052409.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                                  		high
                                                                                                  https://assets.msn.com/bundles/v1/edgeChromium/latest/common-segments.f68ee5aa19f6973c90eb.jsjavasign_test.exe, 00000019.00000003.2132985862.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2068192039.0000000007FB0000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2189447302.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2208631971.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2120833759.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2253354425.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2211431271.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2127525933.0000000007FC8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.softwareok.deGUP.exe, 0000000E.00000002.1413120900.0000017407DE5000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1472822488.0000024EC4593000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1774594758.0000000004D23000.00000004.00000800.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1739510907.000001DFAD91F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.1951690362.0000000004CD0000.00000004.00000800.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2238875875.0000000002781000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2254276363.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                                      		high
                                                                                                      https://support.mozilla.org/products/firefoxgro.allizom.troppus.GNzbMA16ssY5javasign_test.exe, 00000019.00000003.2135410886.00000000085AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://www.softwareok.de/?Freeware/Find.Same.Images.OK/Historyjavasign_test.exe, 00000019.00000000.1699052409.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                                          		high
                                                                                                          http://www.softwareok.com/?Download=Find.Same.Images.OKjavasign_test.exe, 00000019.00000000.1699052409.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                                            		high
                                                                                                            http://e5.o.lencr.org0javasign_test.exe, 00000019.00000003.2068192039.0000000007FA3000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://npp-user-manual.org/docs/upgrading/#new-version-available-but-auto-updater-find-nothingGUP.exefalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://www.softwareok.de/?Download=Find.Same.Images.OKjavasign_test.exe, 00000019.00000000.1699052409.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                                                		high
                                                                                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=javasign_test.exe, 00000019.00000003.1929888666.00000000008D9000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1930036035.00000000008D9000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://crl.rootca1.amazontrust.com/rootca1.crl0javasign_test.exe, 00000019.00000003.2126443853.0000000007FFF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://ocsp.rootca1.amazontrust.com0:javasign_test.exe, 00000019.00000003.2126443853.0000000007FFF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://curl.se/docs/alt-svc.htmlGUP.exe, 00000016.00000002.1742189864.00007FF8E771B000.00000002.00000001.01000000.00000008.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://www.ecosia.org/newtab/javasign_test.exe, 00000019.00000003.1929888666.00000000008D9000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1930036035.00000000008D9000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://www.symauth.com/cps0(GUP.exe, 0000000E.00000002.1413120900.0000017407DE5000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1472822488.0000024EC4593000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1774594758.0000000004D23000.00000004.00000800.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1739510907.000001DFAD91F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.1951690362.0000000004CD0000.00000004.00000800.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2238875875.0000000002781000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brjavasign_test.exe, 00000019.00000003.2135410886.00000000085AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://bapakopla.live/Bzjavasign_test.exe, 00000019.00000003.1897087534.0000000000515000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              • Avira URL Cloud: safe
                                                                                                                              		unknown
                                                                                                                              http://www.symauth.com/rpa00GUP.exe, 0000000E.00000002.1413120900.0000017407DE5000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1472822488.0000024EC4593000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1774594758.0000000004D23000.00000004.00000800.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1739510907.000001DFAD91F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.1951690362.0000000004CD0000.00000004.00000800.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2238875875.0000000002781000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://curl.se/docs/copyright.htmlGUP.exefalse
                                                                                                                                  		high
                                                                                                                                  http://www.info-zip.org/GUP.exe, 0000000E.00000002.1413120900.0000017407D8F000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1472822488.0000024EC453D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1774594758.0000000004CDA000.00000004.00000800.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1739510907.000001DFAD8C9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.1951690362.0000000004C87000.00000004.00000800.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2238875875.0000000002738000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://assets.msn.com/bundles/v1/edgeChromium/latest/toast-wc.a6ec0994c38d3a2ed778.js016b.jsNjavasign_test.exe, 00000019.00000003.2132985862.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2068192039.0000000007FB0000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2189447302.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2208631971.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2120833759.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2253354425.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2211431271.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2127525933.0000000007FC8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://curl.se/VGUP.exe, 0000000E.00000002.1406296897.0000017400E6E000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000E.00000002.1414831459.00007FF8E7870000.00000002.00000001.01000000.00000005.sdmp, GUP.exe, 0000000F.00000002.1475041257.00007FF8E7640000.00000002.00000001.01000000.00000008.sdmp, GUP.exe, 00000016.00000002.1742288022.00007FF8E7740000.00000002.00000001.01000000.00000008.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://bapakopla.live/rEjavasign_test.exe, 00000019.00000002.2236776539.0000000000515000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                        		unknown
                                                                                                                                        https://msn.comPjavasign_test.exe, 00000019.00000003.2068192039.0000000007FB0000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2093032418.0000000007FB0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                        		unknown
                                                                                                                                        https://bapakopla.live/17415-what-really-happened-channels-123-west.html?hpdws8f=7AbxF2FXIPIxxWQMTECjavasign_test.exe, 00000019.00000003.1898115248.0000000000894000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2237602703.000000000088C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                        		unknown
                                                                                                                                        https://notepad-plus-plus.org/downloads/openid_moreinfohttps://npp-user-manual.org/docs/upgrading/#nGUP.exe, 0000000E.00000002.1414525765.00007FF60CDC8000.00000002.00000001.01000000.00000004.sdmp, GUP.exe, 0000000E.00000000.1394870114.00007FF60CDC8000.00000002.00000001.01000000.00000004.sdmp, GUP.exe, 0000000F.00000000.1405783439.00007FF7F5F08000.00000002.00000001.01000000.00000007.sdmp, GUP.exe, 0000000F.00000002.1474561861.00007FF7F5F08000.00000002.00000001.01000000.00000007.sdmp, GUP.exe, 00000016.00000000.1671349601.00007FF7F5F08000.00000002.00000001.01000000.00000007.sdmp, GUP.exe, 00000016.00000002.1741952203.00007FF7F5F08000.00000002.00000001.01000000.00000007.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=javasign_test.exe, 00000019.00000003.1929888666.00000000008D9000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1930036035.00000000008D9000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://ntp.msn.comjavasign_test.exe, 00000019.00000003.2132985862.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2189447302.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2208631971.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2120833759.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2253354425.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2093828757.00000000008D6000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2093032418.0000000007F81000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2093618074.00000000008EE000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2119041666.00000000008FA000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2211431271.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2127525933.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2093032418.0000000007F9F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://www.softwareok.de/?Freeware/Find.Same.Images.OKjavasign_test.exe, 00000019.00000000.1699052409.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://ecs.nel.measure.office.net/?TenantId=Edge&DesusertionEndpoint=Edge-Prod-EWR30r1&FrontEnd=AFDjavasign_test.exe, 00000019.00000003.2093032418.0000000007F81000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://x1.c.lencr.org/0javasign_test.exe, 00000019.00000003.2068192039.0000000007FA3000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2126443853.0000000007FFF000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2068192039.0000000007FA7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://x1.i.lencr.org/0javasign_test.exe, 00000019.00000003.2068192039.0000000007FA3000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2126443853.0000000007FFF000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2068192039.0000000007FA7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchjavasign_test.exe, 00000019.00000003.1929888666.00000000008D9000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1930036035.00000000008D9000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://ntp.msn.com/javasign_test.exe, 00000019.00000003.2068192039.0000000007FA3000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2119041666.00000000008FA000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2118511502.0000000007FA8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&startjavasign_test.exe, 00000019.00000003.2068192039.0000000007FB0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://www.google.com/images/branding/product/ico/googleg_lodp.icojavasign_test.exe, 00000019.00000003.1929888666.00000000008D9000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1930036035.00000000008D9000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://bapakopla.live/17415-what-really-happened-channels-123-west.htmljavasign_test.exe, 00000019.00000002.2237602703.000000000084E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                                              		unknown
                                                                                                                                                              https://curl.se/docs/http-cookies.htmlGUP.exe, GUP.exe, 0000000F.00000002.1474955126.00007FF8E761B000.00000002.00000001.01000000.00000008.sdmp, GUP.exe, 00000016.00000002.1742189864.00007FF8E771B000.00000002.00000001.01000000.00000008.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://assets.msn.com/bundles/v1/edgeChromium/latest/common-segments.f68ee5aa19f6973c90eb.jsa.jsjavasign_test.exe, 00000019.00000003.2132985862.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2068192039.0000000007FB0000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2189447302.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2208631971.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2120833759.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2253354425.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2211431271.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2127525933.0000000007FC8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://assets.msn.com/bundles/v1/edgeChromium/latest/toast-wc.a6ec0994c38d3a2ed778.jsjavasign_test.exe, 00000019.00000003.2132985862.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2068192039.0000000007FB0000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2189447302.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2208631971.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2120833759.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2253354425.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2211431271.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2127525933.0000000007FC8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://ntp.msn.comreport-tojavasign_test.exe, 00000019.00000003.2118511502.0000000007F97000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                                                    		unknown
                                                                                                                                                                    https://bapakopla.live:443/17415-what-really-happened-channels-123-west.html?hpdws8f=7AbxF2FXIPIxxWQjavasign_test.exe, 00000019.00000003.2177995459.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1888287976.00000000004C7000.00000004.00000020.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2236776539.00000000004C0000.00000004.00000020.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1880135664.00000000004C7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                                                    		unknown
                                                                                                                                                                    http://www.vmware.com/0/GUP.exe, 0000000E.00000002.1413120900.0000017407DE5000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1472822488.0000024EC4593000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1774594758.0000000004D23000.00000004.00000800.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1739510907.000001DFAD91F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.1951690362.0000000004CD0000.00000004.00000800.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2238875875.0000000002781000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://bapakopla.live/Vzjavasign_test.exe, 00000019.00000002.2236776539.0000000000515000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                                                      		unknown
                                                                                                                                                                      http://www.softwareok.com/?seite=faq-Find.Same.Images.OK&faq=0javasign_test.exe, 00000019.00000000.1699052409.00000001401F4000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        http://www.???.xx/?search=%sGUP.exe, 0000000E.00000002.1413120900.0000017407DE5000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1472822488.0000024EC4593000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1774594758.0000000004D23000.00000004.00000800.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1739510907.000001DFAD91F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.1951690362.0000000004CD0000.00000004.00000800.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2238875875.0000000002781000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2254276363.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://assets.msn.com/service/news/feed/pages/weblayout?User=m-3D2B5C354AB86677373249B14BDA678F&actjavasign_test.exe, 00000019.00000003.2119041666.00000000008FA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://assets.msn.com/bundles/v1/edgeChromium/latest/common-settings-edgenext.e38a5b1c655db7a449de.javasign_test.exe, 00000019.00000003.2132985862.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2189447302.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2208631971.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2120833759.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2253354425.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2211431271.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2127525933.0000000007FC8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://ac.ecosia.org/autocomplete?q=javasign_test.exe, 00000019.00000003.1929888666.00000000008D9000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1930036035.00000000008D9000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://curl.se/docs/copyright.htmlDGUP.exe, 0000000E.00000002.1406296897.0000017400E6E000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000E.00000002.1414831459.00007FF8E7870000.00000002.00000001.01000000.00000005.sdmp, GUP.exe, 0000000F.00000002.1475041257.00007FF8E7640000.00000002.00000001.01000000.00000008.sdmp, GUP.exe, 00000016.00000002.1742288022.00007FF8E7740000.00000002.00000001.01000000.00000008.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  http://crt.rootca1.amazontrust.com/rootca1.cer0?javasign_test.exe, 00000019.00000003.2126443853.0000000007FFF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    http://e5.i.lencr.org/0Ajavasign_test.exe, 00000019.00000003.2068192039.0000000007FA3000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://bapakopla.live/sJzjavasign_test.exe, 00000019.00000002.2236776539.0000000000515000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                                                                      		unknown
                                                                                                                                                                                      https://ntp.msn.com/ttjavasign_test.exe, 00000019.00000003.2068192039.0000000007FA3000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://ntp.msn.comreport-to:javasign_test.exe, 00000019.00000003.2093828757.00000000008D6000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2211431271.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2127525933.0000000007FC8000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2093032418.0000000007F9F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://curl.se/docs/http-cookies.html#GUP.exefalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            https://support.mozilla.orgjavasign_test.exe, 00000019.00000003.2135410886.00000000085A3000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              http://www.surfok.de/javasign_test.exe, 00000019.00000002.2238875875.0000000002781000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                http://crl.vjavasign_test.exe, 00000019.00000003.2137969834.00000000004D5000.00000004.00000020.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.2177995459.00000000004D5000.00000004.00000020.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1879586902.00000000004D5000.00000004.00000020.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1897087534.00000000004D5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=javasign_test.exe, 00000019.00000003.1929888666.00000000008D9000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000003.1930036035.00000000008D9000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    http://www.softwareok.comGUP.exe, 0000000E.00000002.1413120900.0000017407DE5000.00000004.00000020.00020000.00000000.sdmp, GUP.exe, 0000000F.00000002.1472822488.0000024EC4593000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000010.00000002.1774594758.0000000004D23000.00000004.00000800.00020000.00000000.sdmp, GUP.exe, 00000016.00000002.1739510907.000001DFAD91F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.1951690362.0000000004CD0000.00000004.00000800.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2238875875.0000000002781000.00000004.00000001.00020000.00000000.sdmp, javasign_test.exe, 00000019.00000002.2254276363.00000001401E0000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      https://notepad-plus-plus.org/downloads/GUP.exefalse
                                                                                                                                                                                                        		high

                                                                                                                                                                                                        World Map of Contacted IPs

                                                                                                                                                                                                        • No. of IPs < 25%
                                                                                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                                                                                        • 75% < No. of IPs

                                                                                                                                                                                                        Public IPs

                                                                                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                        104.21.64.1
                                                                                                                                                                                                        		bapakopla.liveUnited States
                                                                                                                                                                                                        		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                        2.22.242.11
                                                                                                                                                                                                        		a416.dscd.akamai.netEuropean Union
                                                                                                                                                                                                        		20940AKAMAI-ASN1EUfalse
                                                                                                                                                                                                        23.57.90.153
                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                        		35994AKAMAI-ASUSfalse
                                                                                                                                                                                                        23.200.88.36
                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                        		16625AKAMAI-ASUSfalse
                                                                                                                                                                                                        52.168.117.170
                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                                                                                                        162.159.61.3
                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                        		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                        23.219.82.91
                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                        		20940AKAMAI-ASN1EUfalse
                                                                                                                                                                                                        13.74.129.1
                                                                                                                                                                                                        		c-msn-pme.trafficmanager.netUnited States
                                                                                                                                                                                                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                                                                                                        20.110.205.119
                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                                                                                                        204.79.197.219
                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                        		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                                                                                                        172.64.41.3
                                                                                                                                                                                                        		chrome.cloudflare-dns.comUnited States
                                                                                                                                                                                                        		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                        2.23.209.45
                                                                                                                                                                                                        		e28578.d.akamaiedge.netEuropean Union
                                                                                                                                                                                                        		1273CWVodafoneGroupPLCEUfalse
                                                                                                                                                                                                        23.57.90.143
                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                        		35994AKAMAI-ASUSfalse
                                                                                                                                                                                                        13.35.93.67
                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                        		16509AMAZON-02USfalse
                                                                                                                                                                                                        18.244.18.38
                                                                                                                                                                                                        		sb.scorecardresearch.comUnited States
                                                                                                                                                                                                        		16509AMAZON-02USfalse
                                                                                                                                                                                                        150.171.27.10
                                                                                                                                                                                                        		ax-0001.ax-msedge.netUnited States
                                                                                                                                                                                                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                                                                                                        239.255.255.250
                                                                                                                                                                                                        		unknownReserved
                                                                                                                                                                                                        		unknownunknownfalse
                                                                                                                                                                                                        204.79.197.203
                                                                                                                                                                                                        		a-0003.a-msedge.netUnited States
                                                                                                                                                                                                        		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                                                                                                        142.250.176.193
                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                        		15169GOOGLEUSfalse

                                                                                                                                                                                                        Private

                                                                                                                                                                                                        IP
                                                                                                                                                                                                        192.168.2.9
                                                                                                                                                                                                        192.168.2.6

                                                                                                                                                                                                        General Information

                                                                                                                                                                                                        Joe Sandbox version:42.0.0 Malachite
                                                                                                                                                                                                        Analysis ID:1603202
                                                                                                                                                                                                        Start date and time:2025-01-30 17:41:09 +01:00
                                                                                                                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                                                                                                                        Overall analysis duration:0h 10m 34s
                                                                                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                                                                                        Report type:full
                                                                                                                                                                                                        Cookbook file name:default.jbs
                                                                                                                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                        Number of analysed new started processes analysed:42
                                                                                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                                                                                        Number of injected processes analysed:0
                                                                                                                                                                                                        Technologies:
                                                                                                                                                                                                        • HCA enabled
                                                                                                                                                                                                        • EGA enabled
                                                                                                                                                                                                        • AMSI enabled
                                                                                                                                                                                                        Analysis Mode:default
                                                                                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                                                                                        Sample name:82.msi
                                                                                                                                                                                                        Detection:MAL
                                                                                                                                                                                                        Classification:mal88.spyw.evad.mine.winMSI@87/265@19/21
                                                                                                                                                                                                        EGA Information:
                                                                                                                                                                                                        • Successful, ratio: 100%
                                                                                                                                                                                                        HCA Information:
                                                                                                                                                                                                        • Successful, ratio: 97%
                                                                                                                                                                                                        • Number of executed functions: 15
                                                                                                                                                                                                        • Number of non-executed functions: 301
                                                                                                                                                                                                        Cookbook Comments:
                                                                                                                                                                                                        • Found application associated with file extension: .msi

                                                                                                                                                                                                        Warnings

                                                                                                                                                                                                        • Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
                                                                                                                                                                                                        • Excluded IPs from analysis (whitelisted): 2.17.190.73, 13.107.21.239, 204.79.197.239, 142.250.186.142, 13.107.6.158, 13.107.42.16, 108.141.37.120, 88.221.110.195, 88.221.110.242, 2.21.65.154, 2.21.65.132, 142.251.32.99, 172.217.165.131, 142.250.65.163, 142.250.80.67, 13.107.246.61, 172.202.163.200, 184.28.90.27, 94.245.104.56, 40.126.32.133, 4.153.29.52, 23.200.0.34, 104.117.182.41, 13.107.246.40, 150.171.28.10
                                                                                                                                                                                                        • Excluded domains from analysis (whitelisted): nav-edge.smartscreen.microsoft.com, config.edge.skype.com.trafficmanager.net, slscr.update.microsoft.com, img-s-msn-com.akamaized.net, data-edge.smartscreen.microsoft.com, otelrules.afd.azureedge.net, clients2.google.com, e86303.dscx.akamaiedge.net, ocsp.digicert.com, www.bing.com.edgekey.net, login.live.com, config-edge-skype.l-0007.l-msedge.net, th.bing.com, msedge.b.tlu.dl.delivery.mp.microsoft.com, www.gstatic.com, l-0007.l-msedge.net, config.edge.skype.com, star.b.tlu.dl.delivery.mp.microsoft.com.delivery.microsoft.com, www.bing.com, cdp-f-tlu-net.trafficmanager.net, edge-microsoft-com.dual-a-0036.a-msedge.net, fs.microsoft.com, bingadsedgeextension-prod.trafficmanager.net, th.bing.com.edgekey.net, otelrules.azureedge.net, api.edgeoffer.microsoft.com, p-th.bing.com.trafficmanager.net, b-0005.b-msedge.net, prod-atm-wds-edge.trafficmanager.net, www-www.bing.com.trafficmanager.net, edge.microsoft.com, business-bing-com.b-0005.b-msedge.net, prod-agic-we-5.westeur
                                                                                                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                        • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                                                                                                        • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                        • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                        • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                                                                                                                                                                                                        • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                                                                                        • Report size getting too big, too many NtWriteFile calls found.
                                                                                                                                                                                                        • Report size getting too big, too many NtWriteVirtualMemory calls found.
                                                                                                                                                                                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                                                                                                        Simulations

                                                                                                                                                                                                        Behavior and APIs

                                                                                                                                                                                                        TimeTypeDescription
                                                                                                                                                                                                        11:42:45API Interceptor22x Sleep call for process: javasign_test.exe modified
                                                                                                                                                                                                        11:42:54API Interceptor1x Sleep call for process: MpCmdRun.exe modified
                                                                                                                                                                                                        16:42:24AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Uwm_Com.lnk

                                                                                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                                                                                        IPs

                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                        104.21.64.1QUOTATION#009865.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                        • www.mzkd6gp5.top/3u0p/
                                                                                                                                                                                                        Curriculum Vitae.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                        • www.sigaque.today/n61y/
                                                                                                                                                                                                        Updated Price List for 2025 Business Year.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                        • www.sigaque.today/7c9r/
                                                                                                                                                                                                        #U0130HRACAT FATURASI.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                        • www.sv3880.vip/wywx/
                                                                                                                                                                                                        TT Copy.rar.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                        • www.enoughmoney.online/ttkm/
                                                                                                                                                                                                        New Invoice.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                        • www.sigaque.today/7c9r/
                                                                                                                                                                                                        HAWB 074-02689536.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                                                                                                        • www.mzkd6gp5.top/w43d/
                                                                                                                                                                                                        NVIDIAShare.exe.bin.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                                                                                        • bibaprog.ru/ProviderEternallineauthmultiTrackwordpressWpDownloads.php
                                                                                                                                                                                                        gem2.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • securetextweb.cc/STB/c2VjdXJldGV4dHdlYg==M.txt
                                                                                                                                                                                                        SpCuEoekPa.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                        • www.mffnow.info/0pqe/
                                                                                                                                                                                                        2.22.242.11unins000.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                          uwmC39FNho.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                            23.57.90.15357ff67.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                              23.200.88.36file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                                                                                                                52.168.117.170Statement 01-28-25.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                  https://sanctionssearch.ofac.treas.govGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                    aD7D9fkpII.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                                      file.exeGet hashmaliciousPureCrypter, Amadey, Cerbfyne Stealer, Credential Flusher, Cryptbot, LummaC Stealer, Poverty StealerBrowse
                                                                                                                                                                                                                        3e5cb809-f546-fb3c-b0e3-5de228b453ab.emlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                          file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                                                                                                                            https://8jkfw9cqp7ep.z13.web.core.windows.net/?zpbid=78432_55610c1d-9229-11ef-824f-03718b6de7bb#Get hashmaliciousHTMLPhisher, TechSupportScamBrowse
                                                                                                                                                                                                                              https://merzcon-my.sharepoint.com/:f:/g/personal/cnico_merzcon_onmicrosoft_com/EmjHG5K9dP9BtgBBeTTFhjABJRRLGM6IhVrJlwBTMWY8rg?e=pfkS1fGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                Message_2551600.emlGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                  fa5a527b.emlGet hashmaliciousHTMLPhisherBrowse

                                                                                                                                                                                                                                    Domains

                                                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                    chrome.cloudflare-dns.comarchifiltre-mails-win.msiGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                    • 162.159.61.3
                                                                                                                                                                                                                                    kf-dcp-download-setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 172.64.41.3
                                                                                                                                                                                                                                    random.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                                                    • 172.64.41.3
                                                                                                                                                                                                                                    el.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 172.64.41.3
                                                                                                                                                                                                                                    Purchase_Agreement_1020036.pdf.lnk.bin.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 172.64.41.3
                                                                                                                                                                                                                                    installer.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 162.159.61.3
                                                                                                                                                                                                                                    installer.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 172.64.41.3
                                                                                                                                                                                                                                    NRKCZ1PSDM.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                                                                                                                                                                                                                                    • 172.64.41.3
                                                                                                                                                                                                                                    ATT78490.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 172.64.41.3
                                                                                                                                                                                                                                    random.exeGet hashmaliciousAmadey, AsyncRAT, LummaC Stealer, PureLog Stealer, Socks5Systemz, Stealc, VidarBrowse
                                                                                                                                                                                                                                    • 162.159.61.3
                                                                                                                                                                                                                                    a416.dscd.akamai.netrandom.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                                                    • 2.22.242.105
                                                                                                                                                                                                                                    el.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 2.19.126.145
                                                                                                                                                                                                                                    Purchase_Agreement_1020036.pdf.lnk.bin.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 2.19.126.152
                                                                                                                                                                                                                                    installer.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 2.19.11.98
                                                                                                                                                                                                                                    NRKCZ1PSDM.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                                                                                                                                                                                                                                    • 2.19.11.98
                                                                                                                                                                                                                                    random.exeGet hashmaliciousAmadey, AsyncRAT, LummaC Stealer, PureLog Stealer, VidarBrowse
                                                                                                                                                                                                                                    • 2.16.168.113
                                                                                                                                                                                                                                    random.exeGet hashmaliciousAmadey, AsyncRAT, LummaC Stealer, PureLog Stealer, Socks5Systemz, Stealc, VidarBrowse
                                                                                                                                                                                                                                    • 2.16.168.113
                                                                                                                                                                                                                                    25xTHcaF7V.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                                                    • 2.22.242.105
                                                                                                                                                                                                                                    Message.emlGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 2.22.242.105
                                                                                                                                                                                                                                    Benzene.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 2.22.242.11
                                                                                                                                                                                                                                    fg.microsoft.map.fastly.netBenzene.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 199.232.214.172
                                                                                                                                                                                                                                    CLOlOswCpi.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 199.232.210.172
                                                                                                                                                                                                                                    http://unikuesolutions.com/ck/bd/%7BRANDOM_NUMBER05%7D/YmVuc29uLmxpbkB2aGFjb3JwLmNvbQ==Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                    • 199.232.210.172
                                                                                                                                                                                                                                    Setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 199.232.214.172
                                                                                                                                                                                                                                    cLm7ThwEvh.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 199.232.214.172
                                                                                                                                                                                                                                    bc7EKCf.exeGet hashmaliciousStormKittyBrowse
                                                                                                                                                                                                                                    • 199.232.214.172
                                                                                                                                                                                                                                    SecurityScan_Release.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 199.232.210.172
                                                                                                                                                                                                                                    w3245.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 199.232.210.172
                                                                                                                                                                                                                                    FLKCAS1DzH.batGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 199.232.214.172
                                                                                                                                                                                                                                    nTyPEbq9wQ.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 199.232.214.172

                                                                                                                                                                                                                                    ASNs

                                                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                    AKAMAI-ASUShttp://gdlp01.c-wss.com/gds/9/0100009679/06/DR-M200_series_driver_ver.1.2.12001.17001_SP4_Windows.zipGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 104.102.63.195
                                                                                                                                                                                                                                    http://www.investecprivatebank.co.zaGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 23.32.185.35
                                                                                                                                                                                                                                    payGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 23.3.84.254
                                                                                                                                                                                                                                    https://pub-bcf66950f53c450fbd112d88b545ae06.r2.dev/bhn.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                    • 23.201.255.95
                                                                                                                                                                                                                                    Zamowienie2025.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                    • 184.28.90.27
                                                                                                                                                                                                                                    boatnet.m68k.elfGet hashmaliciousMirai, GafgytBrowse
                                                                                                                                                                                                                                    • 2.17.135.230
                                                                                                                                                                                                                                    http://www.first-security-verden.deGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                                                                                                                                                                                    • 184.28.90.27
                                                                                                                                                                                                                                    1. SOCIO Hotel & Resindences, Riara Rd _ Cost Plan #004_20250125 _ Issued.xlsmGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 184.28.90.27
                                                                                                                                                                                                                                    SERVED SUMMON LETTER 01-30-2025.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                    • 104.77.220.172
                                                                                                                                                                                                                                    sysinfoGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 23.62.129.25
                                                                                                                                                                                                                                    AKAMAI-ASUShttp://gdlp01.c-wss.com/gds/9/0100009679/06/DR-M200_series_driver_ver.1.2.12001.17001_SP4_Windows.zipGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 104.102.63.195
                                                                                                                                                                                                                                    http://www.investecprivatebank.co.zaGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 23.32.185.35
                                                                                                                                                                                                                                    payGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 23.3.84.254
                                                                                                                                                                                                                                    https://pub-bcf66950f53c450fbd112d88b545ae06.r2.dev/bhn.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                    • 23.201.255.95
                                                                                                                                                                                                                                    Zamowienie2025.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                    • 184.28.90.27
                                                                                                                                                                                                                                    boatnet.m68k.elfGet hashmaliciousMirai, GafgytBrowse
                                                                                                                                                                                                                                    • 2.17.135.230
                                                                                                                                                                                                                                    http://www.first-security-verden.deGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                                                                                                                                                                                    • 184.28.90.27
                                                                                                                                                                                                                                    1. SOCIO Hotel & Resindences, Riara Rd _ Cost Plan #004_20250125 _ Issued.xlsmGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 184.28.90.27
                                                                                                                                                                                                                                    SERVED SUMMON LETTER 01-30-2025.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                    • 104.77.220.172
                                                                                                                                                                                                                                    sysinfoGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 23.62.129.25
                                                                                                                                                                                                                                    AKAMAI-ASN1EUhttps://email.uiin.org/lt.php?x=3DZy~GDEI6Kg687_yA5HguCg~a2hutfxvM0wZ5HLJaai6s4s0Uy.0eFz1nVzidHzlfYwZIHEKnGg6mGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                    • 88.221.110.227
                                                                                                                                                                                                                                    https://email.uiin.org/lt.php?x=3DZy~GDEI6Kg687_yA5HguCg~a2hutfxvM0wZ5HLJaai6s4s0Uy.0eFz1nVzidHzlfYwZIHEKnGg6mGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                    • 88.221.110.136
                                                                                                                                                                                                                                    https://s3.eu-north-1.amazonaws.com/eu-north-1.console.aws.amazon.com7772/slimemailer.html#kevin.bird@ngps.caGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 88.221.110.26
                                                                                                                                                                                                                                    https://www.travelzoo.com/newsflash/gtt/106533631-2877830_619/?ru=https://enniumh.hostingfederall.com/leyXW/?e=jwicht@wc.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                    • 23.215.18.43
                                                                                                                                                                                                                                    https://pub-bcf66950f53c450fbd112d88b545ae06.r2.dev/bhn.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                    • 2.21.65.130
                                                                                                                                                                                                                                    https://url.za.m.mimecastprotect.com/s/g1pIC98XX1TZ3OJwUofGSqQtag?domain=pioneerselectricals.aeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 2.21.65.141
                                                                                                                                                                                                                                    https://www.ispringsolutions.com/ispring-suiteGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 88.221.110.227
                                                                                                                                                                                                                                    https://maldinls.za.com/ms365/GxhQ5LTFc4dTxAXt7aQ4uSKvr8ev9T2QXE9zWKA3pjFP.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 2.22.242.99
                                                                                                                                                                                                                                    https://steamcommmnuty.com/gift-card/43736951262Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 95.101.149.47
                                                                                                                                                                                                                                    https://navatourtravel.com/gt/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 2.16.168.125
                                                                                                                                                                                                                                    CLOUDFLARENETUShttp://gdlp01.c-wss.com/gds/9/0100009679/06/DR-M200_series_driver_ver.1.2.12001.17001_SP4_Windows.zipGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 1.1.1.1
                                                                                                                                                                                                                                    REMITTANCE ADVICE 3678866210.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 104.21.2.8
                                                                                                                                                                                                                                    http://metropolitan.londonal.shopGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 172.67.152.186
                                                                                                                                                                                                                                    Employee-Handbooks For All 2025.svgGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 104.17.25.14
                                                                                                                                                                                                                                    PAYMENT ADVICE.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                                                                    • 104.21.112.1
                                                                                                                                                                                                                                    https://email.splash.tools/c/eJwkzEFyhSAMANDTwE4mhCBxkUU3_x4KYWSq4x9N2-t3Oj3Ae02IUbl6lVgSI0ZeZq_nGE0cYowMlKgs4BD9LgvlnipBqbBVaNA5t5gTx6Stt1n9EATMEBNAQcpzYJq7LpS1Exes6gie97E-e7DrOh5_yG72dunD4cvhq97XT3vsHp86_U1TxKnrFv6N7auFep3-lm191jvY1-0IzGqoqzcZbaK8RCw5sjfRc7SplAy5zP5b8DcAAP__IddDwQGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 162.159.128.61
                                                                                                                                                                                                                                    https://email.uiin.org/lt.php?x=3DZy~GDEI6Kg687_yA5HguCg~a2hutfxvM0wZ5HLJaai6s4s0Uy.0eFz1nVzidHzlfYwZIHEKnGg6mGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                    • 104.17.31.174
                                                                                                                                                                                                                                    https://email.uiin.org/lt.php?x=3DZy~GDEI6Kg687_yA5HguCg~a2hutfxvM0wZ5HLJaai6s4s0Uy.0eFz1nVzidHzlfYwZIHEKnGg6mGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                    • 104.17.31.174
                                                                                                                                                                                                                                    https://templates.rjuuc.edu.npGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 172.67.150.27
                                                                                                                                                                                                                                    http://www.investecprivatebank.co.zaGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 172.66.0.227

                                                                                                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                    a0e9f5d64349fb13191bc781f81f42e11738249253318.msi.bin.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 104.21.64.1
                                                                                                                                                                                                                                    FileZilla.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                    • 104.21.64.1
                                                                                                                                                                                                                                    AnyDesk.pif.bin.exeGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                                                                                    • 104.21.64.1
                                                                                                                                                                                                                                    REF--REQUIRED--ORDER-CONFIRMATIONS.cmdGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                                                                                    • 104.21.64.1
                                                                                                                                                                                                                                    random.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                    • 104.21.64.1
                                                                                                                                                                                                                                    random.exeGet hashmaliciousAmadey, LummaC Stealer, PureLog Stealer, Stealc, zgRATBrowse
                                                                                                                                                                                                                                    • 104.21.64.1
                                                                                                                                                                                                                                    random.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                    • 104.21.64.1
                                                                                                                                                                                                                                    random.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                                    • 104.21.64.1
                                                                                                                                                                                                                                    random.exeGet hashmaliciousLummaC Stealer, PureLog StealerBrowse
                                                                                                                                                                                                                                    • 104.21.64.1
                                                                                                                                                                                                                                    random.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                    • 104.21.64.1

                                                                                                                                                                                                                                    Dropped Files

                                                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\javasign_test.exeel.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                      ssez9kSCPc.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                        vXn4pan2US.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                          CLOlOswCpi.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                            vXn4pan2US.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                              nkCBRtd25H.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                nkCBRtd25H.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                  24EPV9vjc5.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                    kXzODlqJak.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                      VmjvNTbD5J.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\MSIBA81.tmpCLOlOswCpi.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                          K3UtwU3CH9.msiGet hashmaliciousUnknownBrowse

                                                                                                                                                                                                                                                            Created / dropped Files

                                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Edge\User Data\2f4d1765-c346-4c8d-a5e2-362d65bdcba8.tmp

                                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                            File Type:JSON data
                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                            Size (bytes):58444
                                                                                                                                                                                                                                                            Entropy (8bit):6.101697854598876
                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                            SSDEEP:1536:z/Ps+wsI7ynFCBS2qX7bZtPHgorQXdbiR3oM:z/0+zI7ynFkS20ptP0Xdbe3
                                                                                                                                                                                                                                                            MD5:4DB9DC56A5180F5772F6A73EED666752
                                                                                                                                                                                                                                                            SHA1:C8ABD5C38BB3BEB6DF62743633952E17C5EC1664
                                                                                                                                                                                                                                                            SHA-256:AEAC8D98921D5E2C09E931E4129B56306B8C183F91FCBFA59632A4D5F0CDA80A
                                                                                                                                                                                                                                                            SHA-512:8B711918E12D93CC14297D754915A83C6EC1472137FD0297159530A8E2CDB5820EA6C852EBC43EC4A516F8C821E337331E4F2F1C4194A96172806332D1F511AD
                                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                                            Preview:{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

                                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Edge\User Data\70fcb116-a178-48af-b262-56c7f876adda.tmp

                                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                            File Type:JSON data
                                                                                                                                                                                                                                                            Category:modified
                                                                                                                                                                                                                                                            Size (bytes):58900
                                                                                                                                                                                                                                                            Entropy (8bit):6.104608377948106
                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                            SSDEEP:1536:z/Ps+wsI7ynoCBS2qX7bszwgorQXdbiR3oM:z/0+zI7ynokS208Xdbe3
                                                                                                                                                                                                                                                            MD5:8115E32890B8C6E9CDA3B6AB1FF068E2
                                                                                                                                                                                                                                                            SHA1:F683617C16C18D68822EEA4BEF5E04292414C781
                                                                                                                                                                                                                                                            SHA-256:094FEB12285A97DA3A0BF58FFE1C6C7C6159757636E68C45CD9E80DE8321DB26
                                                                                                                                                                                                                                                            SHA-512:6237E0B2C0AF8EA55434F7C562BB95D8372F12EB12ABF8DBDCE8C48A39B10D6EA121FDDBBB0455144941FCCEE4523FA9652EBD093C24E653DBE2E4BD2018F4BF
                                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                                            Preview:{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

                                                                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Ad Blocking\49ebf7e2-cdac-4ea4-994c-5ba7bd0e8c4a.tmp

                                                                                                                                                                                                                                                            Download File
                                                                                                                                                                                                                                                            Process:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                                                            File Type:JSON data
                                                                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                                                                            Size (bytes):107893
                                                                                                                                                                                                                                                            Entropy (8bit):4.640152642343929
                                                                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                                                                            SSDEEP:1536:B/lv4EsQMNeQ9s5VwB34PsiaR+tjvYArQdW+Iuh57P7U:fwUQC5VwBIiElEd2K57P7U
                                                                                                                                                                                                                                                            MD5:628C9E9C9240CB5D8854F4E737E8E3E1
                                                                                                                                                                                                                                                            SHA1:D42A042A0E06415AA7215728C7F5DE6DF4517DDD
                                                                                                                                                                                                                                                            SHA-256:DEC06B922CB3636605946E641FBEA8A92E9FAE1F1F05ABB4C5A007327D83FF0A
                                                                                                                                                                                                                                                            SHA-512:E0F071D560AA10728058BC0F67A4A210F7BA606873F562429E8C682B495B094AC5F67B5EAE03A7C35638402B7B0A681AFB2DB52CA55622C5BF3A167D16763649
                                                                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                                                                            Preview:{"sites":[{"url":"24video.be"},{"url":"7dnifutbol.bg"},{"url":"6tv.dk"},{"url":"9kefa.com"},{"url":"aculpaedoslb.blogspot.pt"},{"url":"aek-live.gr"},{"url":"arcadepunk.co.uk"},{"url":"acidimg.cc"},{"url":"aazah.com"},{"url":"allehensbeverwijk.nl"},{"url":"amateurgonewild.org"},{"url":"aindasoudotempo.blogspot.com"},{"url":"anorthosis365.com"},{"url":"autoreview.bg"},{"url":"alivefoot.us"},{"url":"arbitro10.com"},{"url":"allhard.org"},{"url":"babesnude.info"},{"url":"aysel.today"},{"url":"animepornx.com"},{"url":"bahisideal20.com"},{"url":"analyseindustrie.nl"},{"url":"bahis10line.org"},{"url":"apoel365.net"},{"url":"bahissitelerisikayetleri.com"},{"url":"bambusratte.com"},{"url":"banzaj.pl"},{"url":"barlevegas.com"},{"url":"baston.info"},{"url":"atomcurve.com"},{"url":"atascadocherba.com"},{"url":"astrologer.gr"},{"url":"adultpicz.com"},{"url":"alleporno.com"},{"url":"beaver-tube.com"},{"url":"beachbabes.info"},{"url":"bearworldmagazine.com"},{"url":"bebegimdensonra.com"},{"url":"autoy